Running head: CYBERSECURITY VULNERABILITIES IN HEALTH CARE 1

Cybersecurity Vulnerabilities in Health Care: Medical Devices and the Internet of Things

Sarah Armenio

University of San Diego

CYBERSECURITY VULNERABILITIES IN HEALTH CARE 2

According to the Identity Theft Resource Center (ITRC), the number of U.S. data

breaches are at an all-time high for the first half of 2017 (ITRC, 2017). There was a 29%

increase of data breaches from the previous year with 791 recorded breaches through June 30,

2017. While the business sector falls victim to the largest number of attacks and breaches, the

health care sector has not been spared. With healthcare accounting for 22.6% of all breaches

thus far this year, it equals the number of breaches in banking, government, and education

combined.

Breaches allow hackers to access personal data or health information to exploit

individuals. These type of cyber-attacks can also interfere with the treatment of patients and

patient safety. The widely publicized WannaCry ransomware attack on hospitals in the United

Kingdom and elsewhere has demonstrated that hackers have learned to exploit outdated software

in health care systems. In these attacks, a known security vulnerability was used to gain control

of the computer and prevent anyone from using it unless the user paid a ransom. Hospitals were

put in a critical situation as computers can be used to access patient records and assist the

treatment of patients through Electronic Medical Records (EMRs). Perhaps most disheartening

is that the situation could have been avoided if the computers were kept up-to-date. Software

patches that eliminated the vulnerability were released prior to the attack, however, the affected

organizations had not applied them to their computers thus rendering the hospitals’ computers

still vulnerable.

The security of a health care organization should be a priority of every health care

organization. It is important to not only secure the patient data, but also to secure all information

technology (IT) systems in an organization to ensure that the treatment of patients is not

compromised. Any type of successful cyberattack on a hospital detracts from the organization’s
CYBERSECURITY VULNERABILITIES IN HEALTH CARE 3

main purpose, which is to treat patients. Efforts from the Centers for Disease Control and

Prevention (CDC) have published new tools to help organizations address cybersecurity which

further highlight the importance and priority of cybersecurity in health care (CDC, 2016). Yet,

given the increase of successful attacks this year, it seems many health care organizations have

not prioritized IT and cybersecurity or are only beginning to devote the necessary resources in

the aftermath of recent ransomware attacks. The lack of readiness for an attack has made health

care organizations an easy target.

However, even as health organizations rush to improve the IT security of their network,

emerging technologies and the use of medical devices are creating new or undiscovered

vulnerabilities that are yet to be accounted for. Keeping track of the thousands of medical

devices in a hospital can be a daunting task. Ensuring that a device’s operating system is up to

date and adequate in reducing vulnerabilities is even more challenging. Medical devices such as

insulin pumps and pacemakers can be hacked to administer lethal doses or stop functioning. As

technology advances, medical devices are also becoming wireless which offers new access

points for hackers. With the growing fields of the Internet of Things (IoT) and wireless sensor

networks (WSN), devices are even more vulnerable to attacks as traditional security measures

are not developed into these products.

This paper will review the current literature and state of cybersecurity in health systems,

medical devices, and the Internet of Things to identify potential solutions to the issue. Properly

maintaining software and hardware in health organizations is key to mitigating the risk of

cyberattacks. A system to track and update existing software, medical devices, and other connect

IoT devices in hospitals will be reviewed as potential solution with an investigation into potential
CYBERSECURITY VULNERABILITIES IN HEALTH CARE 4

failures. A quality measurement plan will be used to evaluate the effectiveness of the proposed

software tracking and update system.

Literature Review

A literature review was conducted to examine the current state of cybersecurity in health

care information systems (HIT) and identify potential solutions for preparing and responding to

malicious cyber-attacks. The literature search resulted in a number of recent U.S. congressional

reports and hearings, on the issue along with several scholarly papers discussing the current

trends and potential solutions.

In June of 2017, the Health Care Industry Cybersecurity Task Force presented a “Report

on Improving the Health Care Industry Cybersecurity” to U.S. congressional committees (2017).

The report acknowledged that cybersecurity has traditionally been viewed as an Information

technology (IT) challenge in the health care industry. A lack of understanding of the risks of

cyber-attacks along with a lack of resources and trained personnel were identified by the report

as a few of many obstacles. These obstacles are particularly relevant for smaller organizations

where there is no dedicated individual for IT security. Additionally, legacy hardware, software,

and operating systems with known vulnerabilities are difficult and costly to replace. The report

noted that the importance of cybersecurity is not always acknowledged nor understood by health

care organizational leadership.

The report proposed a number of recommendations in response to cybersecurity obstacles

of a lack of resources and education. One recommendation is to establish leadership and

governance that will prioritize and set expectations for security standards in the health care

industry. Second, the health care workforce needs to be developed and educated to address
CYBERSECURITY VULNERABILITIES IN HEALTH CARE 5

cybersecurity threats. Research has shown that cybersecurity awareness of vulnerabilities and

education of cyberattacks can improve the IT security measures at an organization (Armstrong,

2000). However, while preparing for a cyber-attack can reduce damages, it is reactive in nature

and does little to proactively prevent attacks from occurring. Furthermore, increasing awareness

does not address the issue that smaller organizations have limited resources that may not be able

to implement wide ranging security measures. One additional recommendation from the Report

on Improving the Health Care Industry Cybersecurity is to increase the security of medical

devices and IT. This recommendation includes tracking and updating all IT assets and medical

devices as necessary, yet offers no suggestions on how this can be accomplished.

The importance of updated software and medical devices was also reported in a hearing

before a subcommittee on Oversight and Investigations of the Committee on Energy and

Commerce (Cybersecurity in the Health Care Sector, 2017). Michael McNeil testified on the

criticality of including cybersecurity risk management throughout a medical device’s operating

system and lifecycle. McNeil noted that the risk management process should include monitoring

the security of existing medical device and that cybersecurity is shared responsibility among all

stakeholders in health care. Individuals from the hearing recommended increasing the sharing of

information on detected threats and vulnerabilities among stakeholders to proactively mitigate

risks. Sharing this information allows software developers and device manufactures to correct

their products and eliminate known vulnerabilities. However, these corrections require existing

products to be updated with the correction. The issue of how to effectively and efficiently update

existing products was not addressed in the hearing.

The “Healthcare Organization and Hospital Discussion Guide for Cybersecurity” from

the Center for Disease Control and Prevention was reviewed to investigate any potential
CYBERSECURITY VULNERABILITIES IN HEALTH CARE 6

processes as a solution for updating devices, (2016). The discussion guide highlighted the

increased use of wireless devices and the Internet of things (IoT) in health care. Increased use of

such devices also creates increased risk such as remote enablement and control. Discussing and

planning for a cyberattack by hospital staff are noted as key tools to reduce the damage that an

attack can cause. Furthermore, active and continuous monitoring of devices and IT systems is

crucial. This a proactive step for securing an organization’s IT systems and was noted part of the

solution to reducing cybersecurity vulnerabilities.

The “Security and Privacy Issues in Wireless Sensor Networks for Healthcare

Applications” paper noted that wireless medical devices are particularly vulnerable to their

communications being intercepted (Ameen, Liu, & Kwak, 2000). This interception or

eavesdropping can allow an attacker to steal or tamper with the data that is being sent from the

medical device to a remote server. In addition, information gained from eavesdropping may

allow the attacker to gain remote control of the medical device or other IoT application. To

counter these attacks, medical devices and the networks they interact with should encrypt the

data being sent and always authenticate the transmission. These safeguards must be built into the

operating systems of medical devices. When deficiencies in these systems are discovered, they

must be quickly patched via a firmware update to avoid eavesdropping and other attacks from

occurring.

Health organizations face a variety of threats in cybersecurity with no single solution to

the problem. The consensus from the literature depicts that the health care industry is ill-prepared

to prevent cyber-attacks or respond to security breaches. Leadership, resources, personnel, and

awareness of threats are all lacking in the current state of the industry. However, the increasing

use of IoT and wireless medical devices, such as heart rate, blood pressure, and activity
CYBERSECURITY VULNERABILITIES IN HEALTH CARE 7

monitors, are creating new challenges for securing the data of hospitals and the patients they

serve. Recommendations for improving cybersecurity include education, active threat

monitoring, and simulation of attacks. Perhaps more impactful, however, are the proactive

measures to mitigate risk by ensuring that legacy systems and devices are monitored and updated

to eliminate known vulnerabilities. Yet, such proactive measures can be difficult due to the

number of systems and devices in hospitals and the native properties of wireless remote devices

that are not always associated to a fixed physical location. Updating devices requires personnel

to physically locate each device and deploy an update. As a solution to the difficulties of

updating devices to protect against emerging wireless cyber threats, a system to deliver over-the-

air (OTA) updates to remote wireless medical devices is proposed in the following sections.
CYBERSECURITY VULNERABILITIES IN HEALTH CARE 8

Identified Solution

Outdated firmware or software on medical devices is a core cause of cybersecurity

vulnerabilities in health care. In January 2016, the U.S. Food and Drug Administration (FDA)

released guidance on the post-market management of cybersecurity in medical devices (Brown,

Carey, & Gallant, 2016). This guidance outlined that device manufactures should deploy

mitigations that address cybersecurity risks. It is not enough to identify and report a threat, but

medical device manufacturers must also implement device changes and release software or

firmware updates to affected devices. However, according to the FDA, ensuring that devices are

updated with the software update is the responsibility of the health care delivery organization

(FDA, n.d.). Thus, a reliable and secure technological system to deliver over-the-air (OTA)

updates to remote wireless medical devices is a potential solution for health care delivery

organizations to update their medical devices and reduce their cybersecurity vulnerabilities.

Such a method to deliver OTA updates to wireless medical devices must be secure.

Wireless sensor networks (WSNs) are insecure by nature and susceptible to eavesdropping or

modification of the data that is being transmitted. While there are many protocols for delivering

OTA updates, the Seluge++ protocol has been identified as a secure mechanism that is resistant

to Denial of Service, Wormhole, and Replay Attacks (Doroodgar, Razzaque, & Isnin, 2014).

Seluge++ protocol also ensures that the data transferred in a WSN is coming from a trusted

source and that no modification has been made to the data. A system to deliver OTA updates

should implement this protocol or other secure protocols.

Implementing an OTA update system allows health care organizations to quickly update

all of their affected medical devices when the device manufacturer releases a software update to

eliminate a known vulnerability. Devices with outdated software are more susceptible to attacks
CYBERSECURITY VULNERABILITIES IN HEALTH CARE 9

and thus quickly updating devices reduces risk to the organization (Ameen, Liu, & Kwak, 2010).

Remotely delivering a software update is also far easier for a health care organization to

accomplish than having to physically track and update devices. This saves the organization time

and resources. Furthermore, this solution is proactive by protecting the organization from

cybersecurity attacks rather than being reactive and taking action once and attack has already

occurred. Updated devices reduce the risk to organizations, assure patients’ of their safety, and

allow providers to focus on the care of the individual.

CYBERSECURITY VULNERABILITIES IN HEALTH CARE 10

Failure Mode Effect Analysis

The process for the identified solution is outlined below. Each step was analyzed for potential

failure modes and a Failure Mode Effects Analysis (FMEA) was performed. The FMEA table is

included in the Appendix.

Start

1. Cybersecurity
vulnerability
detected and shared
among device
manufacturers

2. Determine which
devices and
software
components are
affected

3.Fix implemented
and software update
released

A
CYBERSECURITY VULNERABILITIES IN HEALTH CARE 11

4. Software update
imported into
hospital s over-the-air
(OTA) server

5. All devices check

in with hospital OTA
server

6. Is there an
update available No End
for this device?

Yes

7. Download update
and store on device

Yes

8. Is device
currently being
used?

No

9. Implement
Update

10. Did device

11. Revert to 12. Report update
update End
previous version failure to OTA server
successfully?

End
CYBERSECURITY VULNERABILITIES IN HEALTH CARE 12

Quality Measure

For the purposes of measuring the effectiveness of an over-the-air (OTA) mechanism for

updating medical devices, quality improvement (QI) measurements were developed. There are 2

measurements that will determine the effectiveness of OTA updates: (1) the percentage of

devices in an organization that are running the most recent version of software/firmware

available and (2) the average number of days between when an update is released by a

manufacture and when it is installed on a device by the owning organization. The goal for

performance improvement is for 95% of devices to be using the most recent version of

software/firmware and average of 2 days or less from release to implementation of

software/firmware. These goals were determined after analysis of potential failure modes that

were identified in the previous section. Given that that there may always be devices that are off

or always in use, it may be difficult or impossible to consistently achieve a 100% rate for devices

using the latest software/firmware version.

The first step for the QI measurement is to identify and establish a baseline for the data to

be collected. An initial inventory of all the medical devices within the health care organization

should be performed if not already present. Given the vast numbers of medical devices in an

organization, one type of device or one location may be used to narrow the focus. Devices that

have frequent updates, are at the highest risk for cyberattacks, or that have the greatest impact on

patient safety would be ideal candidates. This inventory should be conducted by the

organization’s information technology (IT) department. If the inventory is performed at multiple

locations within the organization, the local area network (LAN) administrator should assist in

reporting the details for each device at his location. However, the inventory list should be

controlled and maintained by a central IT staff member or team.

CYBERSECURITY VULNERABILITIES IN HEALTH CARE 13

There are 6 pieces of information that should be documented with each device:

1. Current version of software/firmware installed on device at organization

2. Latest version of software/firmware available for this device from manufacturer

3. Is this device using the most recent software/firmware?

4. Date when the latest version of software/firmware was released

5. Date when device’s software/firmware was last updated (if known)

6. Number of days between when version was released and when device was updated

This inventory serves as the initial state of all devices and gives the baseline for the

percentage of devices that are using up-to-date software/firmware. Since the number of days

between an update’s release and its implementation may not be known during the initial

inventory, devices should be monitored for a period of 6 months to measure the baseline

performance of updating devices. During this period, the inventory should be repeated at 1 week

intervals. At the end of the 6 months, the average number of days between when a new version

was released by a manufacturer and when the device was updated by the organization should be

calculated. This gives the second baseline QI measurement.

Once an OTA system is implemented, the inventory should be repeated again at 1 week

intervals for 6 months. The nature of OTA mechanisms may make it possible for the data

collection and inventory to be performed from a central location and without the use of LAN

administrators performing the manual inventory. Additionally, the software/firmware version of

devices would be also available on demand. However, the 1 week inventory should still be

performed to verify the accuracy of the OTA system and ensure that the collected data that is

comparable to the baseline data.

CYBERSECURITY VULNERABILITIES IN HEALTH CARE 14

Conclusion

Recent cyber-attacks targeting health care organizations have exposed not only

organizations’ information technology vulnerabilities but also potential vulnerabilities in medical

devices that could impact patient safety if exploited. Reducing these known vulnerabilities in

medical devices relies on tracking medical devices and rapidly updating these devices after a

software update is released from the manufacturer. An over-the-air (OTA) software/firmware

update system could be developed to assist in the rapid and continuous deployment of software

updates to medical devices throughout an organization. A failure mode effect analysis of this

solution suggests that such a system could be successful, but could face challenges due to

connectivity issues, continued use of devices, or devices being powered off for extended periods

of time.

More research is necessary to determine if any such OTA systems for medical devices

currently exists. However, based on initial analysis it is suspected that no such systems are

currently commercially available. Therefore, next steps should include contacting devices

manufacturers to determine if any such system is being considered and the viability of such a

solution. While the solution could prove its merit and usefulness to health care organizations, IT

staff, and cybersecurity professionals, any OTA software/firmware solution would require buy-in

and commitment from device manufacturers. Manufacturers would need accept the solution and

design their device firmware/software to be compatible with such a system for delivering

updates. Development of an OTA system could then be considered in collaboration with device

manufacturers.
CYBERSECURITY VULNERABILITIES IN HEALTH CARE 15

References

Ameen, M. A., Liu, J., & Kwak, K. (2010, March 12). Security and Privacy Issues in Wireless

Sensor Networks for Healthcare Applications. Journal of Medical Systems. 36(93).

https://doi.org/10.1007/s10916-010-9449-4

Armstrong, H. (2000 August 22-24). Managing Information Security in Healthcare — an Action

Research Experience. Paper presented at IFIP TC11 Sixteenth Annual Working

Conference on Information Security, Beijing, China. Retrieved from

https://link.springer.com/chapter/10.1007%2F978-0-387-35515-3_3

Brown, N. A., Carey, C. H., & Gallant, M. P. (2016, April 1). Cybersecurity of Postmarket

Medical Devices Addressed by FDA in Draft Guidance. Intellectual Property &

Technology Law Journal. 28(4). Retrieved from http://0-

eds.b.ebscohost.com.sally.sandiego.edu/eds/pdfviewer/pdfviewer?vid=0&sid=4cd54c3e-

3a8a-4105-9d3e-6f2a6f9db4ab%40sessionmgr103

Center for Disease Control and Prevention. (2016, August). Healthcare Organization and

Hospital Discussion Guide for Cybersecurity. Retrieved from

https://www.cdc.gov/phpr/healthcare/documents/healthcare-organization-and-hospital-

cyber-discussion-guide.pdf

Cybersecurity in the Health Care Sector: Strengthening Public-Private Partnerships, Hearing

Before the Subcommittee on Oversight and Investigations of the Committee on Energy

and Commerce, United States House of Representatives. 115th Cong. 1 (2017, April 4).

Retrieved from https://www.hsdl.org/?abstract&did=801227

CYBERSECURITY VULNERABILITIES IN HEALTH CARE 16

Doroodgar, F., Razzaque, M. A., & Isnin, I. F., (2014, March 11). Seluge++: A Secure Over-the-

Air Programming Scheme in Wireless Sensor Networks. Sensors. 14(3), 5004-5040

doi:10.3390/s140305004

Health Care Industry Cybersecurity Task Force. (2017, June). Report on Improving

Cybersecurity in the Health Care Industry. Retrieved from

https://www.phe.gov/Preparedness/planning/CyberTF/Documents/report2017.pdf

Identity Theft Resource Center. (2017, July 17). At Mid-Year, U.S. Data Breaches Increase at

Record Pace. Retrieved from http://www.idtheftcenter.org/Press-Releases/2017-mid-

year-data-breach-report-press-release.

U.S. Food and Drug Administration, (n.d.). The FDA’s Role in Medical Device Cybersecurity.

Retrieved from

https://www.fda.gov/downloads/medicaldevices/digitalhealth/ucm544684.pdf
CYBERSECURITY VULNERABILITIES IN HEALTH CARE 17

Appendix

Failure Mode and Effect Analysis

1 Process Step Cybersecurity vulnerability detected and shared

among device manufacturers

2 Potential Failure Mode Vulnerability fails Vulnerability is An attack using

to be detected not shared the vulnerability
amongst is not
manufacturers understood

3 Potential Cause(s) No one attempts Manufacturer When an attack

to uncover fails to disclose is discovered, it
Process Step #1

vulnerability to reporting can be difficult

agencies to determine
how the
vulnerability is
being exploited
4 Severity Minor Minor Moderate
5 Probability Frequent Frequent Frequent
6 Hazard Score 4 4 8
7 Action (Eliminate, Control, or Control Eliminate Control
Accept)
8 Description of Action Fund teams to Create Fund active
actively seek out mandatory response teams
vulnerabilities in reporting in the
industry requirements cybersecurity
for community
manufacturers

1 Process Step Determine which devices and software components

are affected
Process Step #2

2 Potential Failure Mode So many Poor Poor

devices are documentation description of
affected that is of software the vulnerability
impossible to makes it leads to
determine all difficult to unidentified
affected devices determine if devices
device is
affected
CYBERSECURITY VULNERABILITIES IN HEALTH CARE 18

3 Potential Cause(s) Too many Poor Poor

devices; Poor documentation documentation
documentation of code of vulnerability
and tracking of during reporting
devices
4 Severity Minor Minor Minor
5 Probability Occasional Frequent Frequent
6 Hazard Score 3 4 4

7 Action (Eliminate, Control, or Control Control Eliminate

Accept)
8 Description of Action Industry Improve Create
guidelines for documentation mandatory
documenting of software reporting
devices and firmware requirements
for
manufacturers;
Reports should
be clear and
descriptive

1 Process Step Fix implemented and software update released

2 Potential Failure Mode Software Software fix is Software fix

update too difficult to does not
occurs too complete completely
slowly address the
allowing vulnerability
vulnerability
to be
Process Step #3

exploited
3 Potential Cause(s) Slow Vulnerability Failure on
reaction from buried in code. developer to
manufacture No existing understand the
s on fix fixes or vulnerability.
workaround Poor
documentation
in reporting.
4 Severity Moderate Moderate Moderate
5 Probability Frequent Uncommon Uncommon
6 Hazard Score 8 4 4

7 Action (Eliminate, Control, or Control Control Eliminate

Accept)
CYBERSECURITY VULNERABILITIES IN HEALTH CARE 19

8 Description of Action Enforce max Some Enforce strict

time allowed technology reporting
between fixes require guidelines to
reporting and whole rewrites explain
release of fix of firmware vulnerability
rendering clearly
device
obsolete;
Retire devices

1 Process Step Software update imported into hospital’s over-

the-air (OTA) server

2 Potential Failure Mode Hospital fails Update fails to New update is

to import import due to not compatible
software server with OTA server
update into malfunction
OTA server

3 Potential Cause(s) Hospital not Power failure; OTA server not

Process Step #4

aware that hardware kept up to date

update is failure; network
available; connection lost
Staff error
4 Severity Moderate Minor Minor
5 Probability Occasional Uncommon Uncommon
6 Hazard Score 6 2 2

7 Action (Eliminate, Control, or Eliminate Accept Eliminate

Accept)
8 Description of Action Create Power failures Create regular
regular may be from maintenance
maintenance external forces plans for OTA
plans for server
devices and
OTA server
to check for
new updates
P

S
o

p
c
e
s
s

#
5

1 Process Step All devices check in with hospital OTA server

r

t
CYBERSECURITY VULNERABILITIES IN HEALTH CARE 20

2 Potential Failure Mode Device Devices are OTA client on

doesn't have powered off for the device is
network an extended not compatible
connectivity period of time with version of
the OTA server

3 Potential Cause(s) Wireless Devices not in OTA server

network use updated more
down recently than
device
4 Severity Minor Minor Minor
5 Probability Occasional Occasional Remote
6 Hazard Score 3 3 1

7 Action (Eliminate, Control, or Accept Control Control

Accept)
8 Description of Action Networks will Create regular Create
fail. May be maintenance compatible
from external schedules for update
or devices. schedules for
uncontrollabl Physically OTA Server
e causes track devices if and devices.
needed to
monitor use.

1 Process Step Is there an update available for this device?

2 Potential Failure Mode Server fails Device OTA client on
to recognize firmware is the device is
that an corrupted and not compatible
update is with version of
server is
available for the OTA server
the device unable to
Process Step #6

(serious determine if
design flaw update is
in OTA available.
server)
3 Potential Cause(s) Design flaw Damaged or OTA server
in OTA worn out flash updated more
server memory. recently than
Firmware device
defects
4 Severity Minor Minor Minor
5 Probability Remote Uncommon Remote
6 Hazard Score 1 2 1
CYBERSECURITY VULNERABILITIES IN HEALTH CARE 21

7 Action (Eliminate, Control, or Accept Accept Control

Accept)
8 Description of Action Unintentional Failures are Create
design flaw often compatible
by developer uncontrollable update
or from schedules for
external OTA Server
sources and devices

1 Process Step Download update and store on device

2 Potential Failure Mode Device does not Update may be OTA client on
have enough corrupted on the device is
nonvolatile OTA server not compatible
memory for with version of
update the OTA server

3 Potential Cause(s) Poor Server hard OTA server

implementation drive failure; update more
of update by recently than
manufacturer device
Process Step #7

4 Severity Minor Minor Minor

5 Probability Remote Remote Remote
6 Hazard Score 1 1 1

7 Action (Eliminate, Control, or Control Accept Control

Accept)
8 Description of Action Enforce strict Failures are Create
guidelines for often compatible
documenting uncontrollable update
and reporting or from schedules for
vulnerability. external forces OTA Server
Create and devices
communities for
device
manufactures to
learn from one
another
P

S
o

p
c
e
s
s

#
8

1 Process Step Is device currently being used?

r

t
CYBERSECURITY VULNERABILITIES IN HEALTH CARE 22

2 Potential Failure Mode Device never Device Devices are

stops being improperly powered off for
used determines its an extended
period of time
usage status

3 Potential Cause(s) Critical Defect in Devices not in

device firmware. use
requires
continued
use for
patient. Not
enough
devices
4 Severity Minor Minor Minor
5 Probability Occasional Uncommon Occasional
6 Hazard Score 3 2 3

7 Action (Eliminate, Control, or Eliminate Accept Control

Accept)
8 Description of Action Purchase Unintentional Create regular
additional error by maintenance
devices to developer/devi schedules for
ensure there ce devices.
are enough manufacturer Physically track
for patients devices if
and required needed to
downtime monitor use
maintenance

1 Process Step Implement Update

2 Potential Failure Mode Update is not Nonvolatile Powered is
compatible memory has interrupted
with the been corrupted during
Process Step #9

device implementation
between
download and
implementation

3 Potential Cause(s) Oversight by Damaged Power failure in

manufacture hardware hospital

4 Severity Minor Moderate Minor

5 Probability Remote Remote Remote

CYBERSECURITY VULNERABILITIES IN HEALTH CARE 23

6 Hazard Score 1 2 1

7 Action (Eliminate, Control, or Control Accept Accept

Accept)
8 Description of Action Unintentional Failures are Failures are
error by often often
developer or uncontrollable uncontrollable
device or from or from external
manufacturer external forces forces
; Improve
manufacturin
g testing to
help control;
hospital
should test
update on
select
devices first
before rolling
out to all
devices

1 Process Step Did device update successfully?

2 Potential Failure Mode Failure to Implementatio
recognize if n of update
updated renders device
successfully
unusable
Process Step #10

3 Potential Cause(s) Defect in Defect in

firmware firmware
update update;
hardware
failure
4 Severity Minor Moderate
5 Probability Remote Uncommon
6 Hazard Score 1 4

7 Action (Eliminate, Control, or Control Control

Accept)
CYBERSECURITY VULNERABILITIES IN HEALTH CARE 24

8 Description of Action Improve Improve

manufacturer manufacturer
testing to testing to help
help control control defect;
defect; hospital should
hospital test update on
should test select devices
update on first before
select rolling out to all
devices first devices
before rolling
out to all
devices

1 Process Step Revert to previous version

2 Potential Failure Mode Implementati Revert to Previous
on of update previous version is too
renders version fails old to
device participate in
implementation
unusable OTA update
process
Process Step #11

3 Potential Cause(s) Defect in Defect in Insufficient

firmware previous update period
update device
firmware
4 Severity Moderate Minor Minor
5 Probability Uncommon Uncommon Remote
6 Hazard Score 4 2 1

7 Action (Eliminate, Control, or Control Control Control

Accept)
CYBERSECURITY VULNERABILITIES IN HEALTH CARE 25

8 Description of Action Improve Improve Create regular

manufacturer manufacturer maintenance
testing to testing to help schedules for
help control control defect; devices.
defect; hospital should
hospital test update on
should test select devices
update on first before
select rolling out to all
devices first devices
before rolling
out to all
devices

1 Process Step Report update failure to OTA server

2 Potential Failure Mode OTA client Device doesn't Devices are
on the device have network powered off for
is not connectivity an extended
compatible period of time
with version
of the OTA
server
3 Potential Cause(s) OTA server Network Devices are not
Process Step #12

update more outage at in use

recently than hospital
device
4 Severity Minor Minor Minor
5 Probability Remote Uncommon Occasional
6 Hazard Score 1 2 3

7 Action (Eliminate, Control, or Control Accept Control

Accept)
8 Description of Action Create Failures are Create regular
compatible often maintenance
update uncontrollable schedules for
schedules for or from devices. Retire
OTA Server external forces devices that are
and devices no longer used