Medical Device Cybersecurity And The Not-So-Hidden Threat Of Backdoors

Forbes

6 days ago

Founder, Blue Goat Cyber | MedTech Cybersecurity Leader | Speaker & Author | 24x Ironman | Securing Innovation & Patient Safety.
The threats guiding the world of medical device cybersecurity encompass many attack types. Data breaches, malware and ransomware continue to increase, making the environment volatile and ever-changing. While the Food and Drug Administration (FDA) requires cybersecurity controls and protocols before and after approval, no device or network can be completely risk-free.
In analyzing the threat landscape, calling attention to backdoors is important. Backdoors describe hidden functionality that's unknown to device users. They can lead to unauthorized access, allowing hackers to bypass the controls in place. A backdoor gives cybercriminals a way to sneak in and steal personally identifiable information (PII) and protected healthcare information (PHI).
So, how big a threat are backdoors?
The Backdoor Threat Level: FDA Issues Risk Alert
At the end of January 2025, the FDA issued a specific risk alert related to backdoors, calling out two patient safety monitors.
The agency identified these vulnerabilities:
• An unauthorized user could remotely control the patient monitoring system. They would be able to perform unwanted actions or crash the device completely.
• The software within the devices has a backdoor, which would compromise the device and network if connected.
• After the device connects to the internet, it begins to collect patient data (PII and PHI) and exfiltrate information from outside the healthcare delivery environment.
The FDA stated it had not received any reports relating to incidents or patient safety because of the vulnerabilities. The FDA and the Cybersecurity and Infrastructure Security Agency (CISA) are currently working with the manufacturer to resolve the issue.
The alert also relayed that the FDA had authorized these monitors for wired functionality only. However, the agency was aware that some users were connecting via Wi-Fi.
The cyberattack method in the backdoor only becomes active after joining networks and the IP address connected to it does not belong to the manufacturer or a healthcare organization. Instead, it was the property of a university.
The tip for this came from an external researcher via the coordinated vulnerability disclosure process, and CISA then tested the theory, finding it to be true.
A backdoor isn't always malicious. Sometimes, manufacturers enable this to make updates. Manufacturers are required to have updating and patching protocols once devices are on the market. That was not the case with these patient monitoring systems.
Checks And Balances For Backdoors
How did this backdoor gain the power to overwrite files on the device? The FDA's current guidelines have requirements that pertain to backdoors in place. The first is the software bill of materials (SBOM). Manufacturers must submit these with their application to the FDA for approval.
An SBOM lists all pieces of software within a device and its dependencies and metadata. It's an 'inventory' to ensure transparency and mitigate risk. The motivation behind mandating SBOMs is to identify all code, most of which is open source, and ensure that what's in use is the most up to date.
Older versions of much open code have vulnerabilities. In fact, an open-source security report concluded that 86% of codebases assessed had vulnerabilities and 81% had high levels of risk. Those percentages have risen considerably from years past.
An SBOM should act as a transparency mechanism and allow for proper tracking of code so that if anyone finds a vulnerability, it should lead to earlier detection and remedy. These devices have been on the market for some time. Even before SBOMs were mandatory, most premarket submissions included them, but they weren't seriously scrutinized.
A Deeper Dive Into The Code
In the technical document from CISA researchers, key insights emerged on why the device's software was flagged.
The code didn't have any of the features that are best practices for updating. The devices must have a way to update with patches, but this backdoor lacked standard security postures. For example, there was no integrity verification or way to record overwritten files. The other big tell was that remote file sharing was via an IP address, not a DNS entry.
How The Backdoor Got Through
In the technical breakdown and alert, the FDA does not provide any information on this. The company also hasn't issued a response, according to media outlets reporting the story.
Additionally, no software patch is currently available. The recommendation from experts is simply to disconnect the devices. The consequence of this could impact patient care since these patient monitoring devices are in heavy use.
Since the alert came from an outside researcher, it also points to the question of risk assessment by organizations using it. Potentially, penetration testing, vulnerability scanning or other proactive cybersecurity measures would have also found the backdoor.
There is no easy answer to curbing the cyber threats to medical devices. They have become integral in patient care, but manufacturers and providers should be continuously evaluating threats and vulnerabilities.
As devices come onto the market that have to follow the new FDA guidance of SBOMs and patching, backdoors may become easier to prevent and detect. For the entire industry, this is a stark reminder that threats can easily disguise themselves.
Forbes Technology Council is an invitation-only community for world-class CIOs, CTOs and technology executives. Do I qualify?