Vendor Risk Assessments on a Medical Device Manufacturer

Medtronic's medical device manufacturer provides an array of innovative technologies that improve patient lives. With MiniMed Paradigm insulin pumps, people with diabetes can control blood sugar levels automatically, which is why thousands of people use them. However, were the patients the only ones using them?

According to an article by Bill Toulas, published by Bleeping Computer in October 2021, two types of remote controllers used with the Medtronic MiniMed 508 and the Paradigm family of insulin pumps were sold to U.S. patients between 1999 and 2018. In 2019, Medtronic and the Federal Drug Administration (FDA) issued a warning to patients that these remote controllers connected via wireless communication – could be hacked, and a dangerous amount of too much or too little insulin could be administered. At this time, Medtronic and the FDA announced plans for a nationwide recall program.

However, it wasn't until October of 2021 that Medtronic sent letters to patients providing specific instructions on recalling these devices and what patients needed to do to obtain replacements. In other words, despite being unpatched since 1999, these devices remain in patients' hands, posing a life-threatening risk.

Such a case scenario brings to light the fact that medical device manufacturers have been so eager to deliver medical devices to hospitals, clinics, health systems, and their patients that little regard for device security in the physical and software production of these devices has been taken in consideration. Furthermore, routine patching of found vulnerabilities is a moot activity as long as the devices continue to work without knowledge of exploits. And, it's not just vulnerabilities in wireless device communications that have threatened patient lives. Devices running on outdated software versions, such as Windows 7, threaten patient safety. Devices containing hardware or software components created by foreign nation-state hackers to maintain backdoors and persistent Command and Control operations to exfiltrate PHI or sensitive data. Or, even worse – install ransomware.

3 Tips for Vendor Risk Assessments on a Medical Device Manufacturer

What does a healthcare organization do to ensure a medical device manufacturer applies routine patches and updates to their devices? It all starts with a vendor risk assessment.

Here are 3 things to keep in mind:

1. The scope of the vendor risk assessment should include not just the device itself, but also the security practices of the vendor as a company.
2. A review of the vendor's internal patch management policies and vulnerability scans for the device should be part of the assessment.
3. A healthcare organization needs to document the service level agreements (SLAs) the vendor will use for providing patches to found vulnerabilities or for providing routine updates to outdated components. Suppose the vendor's usual SLAs aren't acceptable per a healthcare organization's own patch management practices. In that case, those SLAs should be updated and written into the vendor contract before completing the purchase or renewal.

It's becoming more common for manufacturers to create a Software Bill of Materials (SBOMs) for their devices to help determine whether there are any vulnerabilities in the software components. SBOMs are essentially the list of ingredients for a medical device, detailing what versions of open-source code or proprietary applications were used to create the device. This list of ingredients can be compared with a vulnerability database, such as the National Vulnerabilities Database, to identify which software component versions have vulnerabilities. When vulnerabilities are found, a healthcare organization can notify the manufacturer and request the patch or an updated device version.

Medical devices, such as the Medtronic MiniMed 508 and the Paradigm family of insulin pumps, have revolutionized the world of healthcare and, without a doubt, have made patient lives better. However, medical devices are technologies that need security controls applied to them, just like a laptop or mobile phone. The importance of understanding how to conduct a vendor risk assessment, as well as what to expect from vendor service level agreements, should be a top priority for any healthcare organization.