Guarding intellectual property (IP) has always been a priority for medical device manufacturers as competitors and even nation states are constantly trying to compromise or steal IP. For example, in January 2019, a Chinese national who stole secrets while working for medical device companies including Medtronic and Edwards, was sentenced to over two years in federal prison. Over time, Wenfeng Lu had copied numerous documents belonging to both of his employers that contained technical information and trade secrets, took them home, and placed them on his personal laptop computer. He was arrested as he prepared to board a plane to the PRC.
It has never been easier or more profitable to hack devices for their IP. More and more medical devices have transformed from mechanical devices with limited software, to software packed devices. Companies spend billions of dollars on R&D for years upon years, only to leave vulnerabilities in the software and firmware of the devices, opening the door for hackers to waltz in, and steal their IP. Something is horribly wrong with this scenario.
Sometimes the vulnerabilities are created during the development process, and sometimes they come part and parcel from the components received from their supply chain providers. Amplifying the challenge is the shortage of parts and components caused in part by the pandemic. This is driving many manufacturers to seek alternative suppliers who can produce steady supplies. With new suppliers comes the added risk of new, untested components and the potential for many new threats and vulnerabilities.
Organizations that wish to secure their IP from theft and misuse need to do a much better job at securing the devices that they produce.
What’s at stake
Stolen intellectual property enables hackers to re-engineer and sell the same device with a fraction of the investment in R&D. Wenfeng Lu for example had obtained financing and was preparing to open a company in the PRC that would manufacture devices used to treat vascular problems and would use technology he had stolen from his American employers, according to court documents.
The Commission on the Theft of American Intellectual Property estimates that annual costs from IP losses range from $225 billion to $600 billion. IP infringement may significantly affect a company’s revenue and put downward pressure on its prices. If a competitor steals a company’s product trade secrets, it may beat that company to market with a new and innovative product, undercutting the victim’s market share.
Medical device companies face a very competitive environment, increasing the incentive for IP theft. Stealing IP using online hacking techniques has become more widespread and harmful due to low costs, difficult attribution and the ability to remotely hack systems.
The device is the target
While it is true that the IP can leak from internal sources and insider threats, IP is being hacked more and more through cyber-attacks on the device itself. For example, a recent case was reported where a Massachusetts medical device engineering company experienced hacking of source code for its medical devices and algorithms, essential to operate the devices. Devices reside at the customer’s location and can often be accessed, investigated and reverse engineered at the attacker’s leisure.
New Common Vulnerabilities and Exposures (CVEs) frequently appear and risk assessments are often only sporadically executed during the development process, and not done at all after the product is launched. This means that there are significant time periods when devices are wide open to hacks, allowing hackers to steal software and firmware algorithms and disappear, without anyone ever knowing they were there.
Hardening the device
Protecting IP assets is a business-critical task. Protecting the IP on a device requires a holistic approach to device security. Locking down the interfaces, as well as protecting the software code and firmware, is crucial for defending against IP theft. While there is no guarantee of protection, the goal is to increase the level of difficulty to the point where there are many more obstacles, and more time and cost required for hacking the device.
It’s imperative that medical manufacturers defend themselves from IP theft, including targeted cyber-attacks. To protect IP, enterprises need product security systems that automatically and continuously monitor medical device software and firmware, uncovering known and zero day vulnerabilities.
Protecting the code
The software and firmware running the device are a valuable target for attackers. Adding layers of protection to make the code less accessible to attackers, is essential to securing IP. This includes uncovering errors in the code that could allow attackers to enter, encryption of the data and storage, and using obfuscation techniques to make reverse engineering more challenging.
Manufacturers should employ continuous vulnerability assessments of the software deployed on medical devices, using vulnerability databases. They should ensure that the cybersecurity platform they enlist is also able to detect zero-day vulnerabilities. The monitoring should stretch through the entire lifecycle from design to end-of-life of the device. The solution should also be able to output software bill of materials (SBOM) or cyber bill of materials (CBOM) and remediation options for any threats or vulnerabilities discovered.
Keeping products secure
One of the most effective ways to secure the IP on a device is to eliminate the easiest method for hacking the device, known vulnerabilities. Attackers scan targets for known and published vulnerabilities to use as starting points for attacks. Vulnerability management requires continuous monitoring of threats and vulnerabilities throughout the product lifecycle. Late discovery or lack of proper remediation of discovered vulnerabilities can lead to costly recalls, and damage to brand and bottom line.
Vulnerability monitoring is not about taking a one-off SBOM or CBOM snapshot, but product security teams need to establish ongoing processes and policies to proactively and collaboratively manage cyber-threats in medical devices, together with their development teams and suppliers. They need visibility and understanding of the make and characteristics of their software asset inventory, reliable and timely vulnerability data, automated workflows, that will drive cybersecurity within the organization and continuous vulnerability management, well after medical equipment has been sold and deployed. Putting these safeguards into place may not provide a hermetic seal against attacks, but it will certainly make it much more difficult for the hacker to gain access and cause damage.
Learn more about Cybellum at www.cybellum.com.