A Novel Way to Protect Patients

A man in a hospital bed with the words behind the hack.

Tackling the intersection of cybersecurity and patient safety

With fewer than 100 days until MITRE Engenuity’s Embedded Capture the Flag™ (eCTF) kicks off, we took the time to speak with Dr. Matt Weir, an applied cybersecurity engineer at MITRE who is involved in the security of healthcare devices within the MITRE Healthcare Lab. During our conversation, we explored the importance of cybersecurity elements, the people who are involved and affected by them, and how eCTF2024 works to service that community by equipping the next generation of embedded security professionals.

What is the MITRE Healthcare Lab?

MITRE’s Healthcare Lab is exploring how cybersecurity intersects with increasingly technology-reliant clinical settings. Through their research they endeavor to answer:

  • How do we apply security controls to devices in a hospital environment?
  • How do you protect medical devices where traditional security controls (e.g. antivirus software on a pacemaker) are not appropriate?
  • How do we deploy updates to medical devices safely, securely, and with respect to data protection?

What parts of a clinical setting are explored for security efficiencies?

“Pretty much everything connected to a patient,” can be open to cyber-attack and other vulnerabilities, says Dr. Weir. The fact is that millions of people rely on these devices for their healthcare – hearing aids, pacemakers, and insulin pumps are just a few tools that require resilient foundations. Bolstering cybersecurity for vulnerable devices is critical, especially as an aging population (often not fully literate in technology) begins to rely more on smart devices. That’s why MITRE’s work is so impactful and why MITRE Engenuity’s 2024 eCTF challenge is particularly important.

What exactly are we talking about?

There are various types of hospital information systems which require adequate monitoring, advanced security protocols, and threat defense initiatives, including:

  • Patient monitoring systems
  • Electronic Health Record systems (EHRs)
  • Picture Archive and Communication systems (PACS)

Personal medical devices also remain at risk for adversary action – these include, but are not limited to:

  • Implanted devices
  • Devices carried externally on the body
  • Hybrid devices (e.g. insulin pumps or cochlear implants)
  • Devices that communicate readings to medical teams remotely

What’s so different about a medical device versus a car or household “smart” device?

From a design and threat standpoint, not much. Medical devices tap into the same chip supply chain as everyone else. In fact, some home smart locks use the same Bluetooth chips as pacemakers! In short, any bad actor that can attack a door lock could also attack a pacemaker. Luckily, medical devices tend to be built with redundancy and safety in mind. Therefore, while both a door lock and a pacemaker might have the same vulnerability, design features of the pacemaker can make it resilient to the attack and continue to provide safe and effective care.

If we can’t design the perfect device, what then?

The question should be: how do we design a device that responds well to failure? Dr. Weir refers to this as “failing gracefully.” Resiliency is key. Designing, building, and implementing systems that are resilient enough to withstand an attack in such a way that the primary function, upon which the patient is reliant, remains intact and continues to provide effective care. This is the essential difference between the Bluetooth chip in the door lock and the one in the pacemaker: the pacemaker manufacturers were able to decouple the piece of the device that supplies help to the heart from the part that records and communicates back to the patient’s care team. While the communication portion fell to the attack, the device was still able to provide its care to the patient. It failed gracefully.

Resilient connectivity is an additional concern. Access to Wi-Fi and servers makes it possible for caregivers to monitor patients remotely, to record and track patient histories over time, and to update treatment plans in real time. Conversely, it also means that exploitation of medical data is a constant threat.


What does the future of security in medical devices look like?

Following COVID, much of healthcare moved to a remote setting, storing more info in the cloud, and patient facilities are exploring more innovative ways to provide at-home healthcare solutions. “Security boundaries are becoming more porous,” says Dr. Weir.  In these circumstances, with devices that are no longer within the protection of hospital security controls, the risks of infiltration go up.

The ability to innovate around the scope and intricacy of medical device cyber protections will be crucial to this year’s eCTF challenge – and it all begins in one place: MITRE Playbook for Threat Modeling Medical Devices. This free guide can help students better understand structure techniques for threats within medical devices. It also covers mitigations that relate directly to threats facing medical devices that.

Ultimately, the goal of MITRE’s Healthcare Lab is to better understand IoT and Smart devices in a clinical setting so that patients can receive continued safe and effective care.  Exploring the security of a medical device is a difficult challenge that has real world impact. As operations continue to shift away from centralized healthcare systems, the need for experienced embedded security professionals will continue to grow. The ability to ideate around the best ways to design secure devices, and defend them from adversaries, creates a foundation upon which students can build a fruitful career.

“The more people that get involved, the happier I am,” laughs Dr. Weir. We couldn’t agree more.

Get involved

For more information on MITRE Engenuity eCTF and to register a team, visit: Team Registration.

If interested in supporting the future of embedded security professionals through competition sponsorships, please explore those opportunities here: eCTF Competition Sponsorship | MITRE Engenuity (mitre-engenuity.org)

© 2023 MITRE Engenuity, LLC. Approved for Public Release. Document number ME0108