Running head: CYBERSECURITY VULNERABILITIES IN HEALTH CARE

Cybersecurity Vulnerabilities in Health Care: Medical Devices and the Internet of Things

Sarah Armenio

University of San Diego

Running head: CYBERSECURITY VULNERABILITIES IN HEALTH CARE
2

Failure Mode Effect Analysis

Start

1. Cybersecurity
vulnerability
detected and shared
among device
manufacturers

2. Determine which
devices and
software
components are
affected

3.Fix implemented
and software update
released

4. Software update
imported into
hospital s over-the-air
(OTA) server

5. All devices check

in with hospital OTA
server

6. Is there an
update available No End
for this device?

Yes

7. Download update
and store on device

Yes

8. Is device
currently being
used?

No

9. Implement
Update

10. Did device

11. Revert to 12. Report update
update End
previous version failure to OTA server
successfully?

End
 Running head: CYBERSECURITY VULNERABILITIES IN HEALTH CARE
Process Step
1. Cybersecurity vulnerability detected and
shared among device manufacturers
2. Determine which devices and software
components are affected
3.Fix implemented and software update
released
4. Software update imported into hospital’s
over-the-air (OTA) server
5. All devices check in with hospital OTA server
6. Is there an update available for this device?
7. Download update and store on device
8. Is device currently being used?
9. Implement Update
3
Failure Modes
 Cybersecurity vulnerability fails to be detected
 Cybersecurity vulnerability is not shared amongst
manufacturers
 Cybersecurity vulnerability is not detected until it
has been taken advantage of
 So many devices are affected that is impossible to
determine all affected devices
 Poor documentation of software makes it difficult
to determine if device is affected
 Poor description of the vulnerability leads to
unidentified devices
 Software update occurs too slowly allowing
vulnerability to be exploited
 Software fix is too difficult to complete
 Software fix does not completely address the
vulnerability
 Hospital fails to import software update into OTA
server
 Update fails to import due to server malfunction
 New update is not compatible with OTA server
 Device doesn't have network connectivity
 Devices are powered off for an extended period of
time
 OTA client on the device is not compatible with
version of the OTA server
 Server fails to recognize that an update is available
for the device (serious design flaw in OTA server)
 Devices firmware is corrupted and server is unable
to determine if update is available.
 OTA client on the device is not compatible with
version of the OTA server
 Device does not have enough nonvolatile memory
for update
 Update may be corrupted on OTA server
 OTA client on the device is not compatible with
version of the OTA server
 Device never stops being used
 Device improperly determines its usage status
 Devices are powered off for an extended period of
time
 Update is not compatible with the device
 Nonvolatile memory has been corrupted between
download and implementation
 Running head: CYBERSECURITY VULNERABILITIES IN HEALTH CARE
4

 Powered is interrupted during implementation

10. Did device update successfully?
11. Revert to previous version
12. Report update failure to OTA server
ENLC 556: Health Care FMEA Template
1 Process Step
 Failure to recognize if updated successfully
 Implementation of update renders device unusable
 Implementation of update renders device unusable
 Revert to previous version fails implementation
 Previous version is too old to participate in OTA
update process
 OTA client on the device is not compatible with
version of the OTA server
 Device doesn't have network connectivity
 Devices are powered off for an extended period of
time
Cybersecurity vulnerability detected and shared
among device manufacturers

2 Potential Failure Mode Vulnerability fails Vulnerability is An attack using

to be detected not shared the vulnerability
amongst is not
manufacturers understood

3 Potential Cause(s) No one attempts Manufacturer When an attack

to uncover fails to disclose is discovered, it
Process Step #1

vulnerability to reporting can be difficult

agencies to determine
how the
vulnerability is
being exploited
4 Severity Minor Minor Moderate
5 Probability Frequent Frequent Frequent
6 Hazard Score 4 4 8
7 Action (Eliminate, Control, or Control Eliminate Control
Accept)
8 Description of Action Fund teams to Create Fund active
actively seek out mandatory response teams
vulnerabilities in reporting in the
industry requirements cybersecurity
for community
manufacturers

1 Process Step Determine which devices and software components

Proc

Step
ess

#2

are affected
Running head: CYBERSECURITY VULNERABILITIES IN HEALTH CARE
5

2 Potential Failure Mode So many Poor Poor

devices are documentation description of
affected that is of software the vulnerability
impossible to makes it leads to
determine all difficult to unidentified
affected devices determine if devices
device is
affected
3 Potential Cause(s) Too many Poor Poor
devices; Poor documentation documentation
documentation of code of vulnerability
and tracking of during reporting
devices
4 Severity Minor Minor Minor
5 Probability Occasional Frequent Frequent
6 Hazard Score 3 4 4

7 Action (Eliminate, Control, or Control Control Eliminate

Accept)
8 Description of Action Industry Improve Create
guidelines for documentation mandatory
documenting of software reporting
devices and firmware requirements
for
manufacturers;
Reports should
be clear and
descriptive

1 Process Step Fix implemented and software update released

2 Potential Failure Mode Software Software fix is Software fix

update too difficult to does not
occurs too complete completely
slowly address the
allowing vulnerability
Process Step #3

vulnerability
to be
exploited
3 Potential Cause(s) Slow Vulnerability Failure on
reaction from buried in code. developer to
manufacture No existing understand the
s on fix fixes or vulnerability.
workaround Poor
documentation
in reporting.
4 Severity Moderate Moderate Moderate
5 Probability Frequent Uncommon Uncommon
Running head: CYBERSECURITY VULNERABILITIES IN HEALTH CARE
6

6 Hazard Score 8 4 4

7 Action (Eliminate, Control, or Control Control Eliminate

Accept)
8 Description of Action Enforce max Some Enforce strict
time allowed technology reporting
between fixes require guidelines to
reporting and whole rewrites explain
release of fix of firmware vulnerability
rendering clearly
device
obsolete;
Retire devices

1 Process Step Software update imported into hospital’s over-

the-air (OTA) server

2 Potential Failure Mode Hospital fails Update fails to New update is

to import import due to not compatible
software server with OTA server
update into malfunction
OTA server

3 Potential Cause(s) Hospital not Power failure; OTA server not

Process Step #4

aware that hardware kept up to date

update is failure; network
available; connection lost
Staff error
4 Severity Moderate Minor Minor
5 Probability Occasional Uncommon Uncommon
6 Hazard Score 6 2 2

7 Action (Eliminate, Control, or Eliminate Accept Eliminate

Accept)
8 Description of Action Create Power failures Create regular
regular may be from maintenance
maintenance external forces plans for OTA
plans for server
devices and
OTA server
to check for
new updates
P

S
o

p
c
e
s
s

#
5

1 Process Step All devices check in with hospital OTA server

r

t
Running head: CYBERSECURITY VULNERABILITIES IN HEALTH CARE
7

2 Potential Failure Mode Device Devices are OTA client on

doesn't have powered off for the device is
network an extended not compatible
connectivity period of time with version of
the OTA server

3 Potential Cause(s) Wireless Devices not in OTA server

network use updated more
down recently than
device
4 Severity Minor Minor Minor
5 Probability Occasional Occasional Remote
6 Hazard Score 3 3 1

7 Action (Eliminate, Control, or Accept Control Control

Accept)
8 Description of Action Networks will Create regular Create
fail. May be maintenance compatible
from external schedules for update
or devices. schedules for
uncontrollabl Physically OTA Server
e causes track devices if and devices.
needed to
monitor use.

1 Process Step Is there an update available for this device?

2 Potential Failure Mode Server fails Device OTA client on
to recognize firmware is the device is
that an corrupted and not compatible
update is with version of
server is
available for the OTA server
the device unable to
Process Step #6

(serious determine if
design flaw update is
in OTA available.
server)
3 Potential Cause(s) Design flaw Damaged or OTA server
in OTA worn out flash updated more
server memory. recently than
Firmware device
defects
4 Severity Minor Minor Minor
5 Probability Remote Uncommon Remote
6 Hazard Score 1 2 1
Running head: CYBERSECURITY VULNERABILITIES IN HEALTH CARE
8

7 Action (Eliminate, Control, or Accept Accept Control

Accept)
8 Description of Action Unintentional Failures are Create
design flaw often compatible
by developer uncontrollable update
or from schedules for
external OTA Server
sources and devices

1 Process Step Download update and store on device

2 Potential Failure Mode Device does not Update may be OTA client on
have enough corrupted on the device is
nonvolatile OTA server not compatible
memory for with version of
update the OTA server

3 Potential Cause(s) Poor Server hard OTA server

implementation drive failure; update more
of update by recently than
manufacturer device
Process Step #7

4 Severity Minor Minor Minor

5 Probability Remote Remote Remote
6 Hazard Score 1 1 1

7 Action (Eliminate, Control, or Control Accept Control

Accept)
8 Description of Action Enforce strict Failures are Create
guidelines for often compatible
documenting uncontrollable update
and reporting or from schedules for
vulnerability. external forces OTA Server
Create and devices
communities for
device
manufactures to
learn from one
another
P

S
o

p
c
e
s
s

#
8

1 Process Step Is device currently being used?

r

t
Running head: CYBERSECURITY VULNERABILITIES IN HEALTH CARE
9

2 Potential Failure Mode Device never Device Devices are

stops being improperly powered off for
used determines its an extended
period of time
usage status

3 Potential Cause(s) Critical Defect in Devices not in

device firmware. use
requires
continued
use for
patient. Not
enough
devices
4 Severity Minor Minor Minor
5 Probability Occasional Uncommon Occasional
6 Hazard Score 3 2 3

7 Action (Eliminate, Control, or Eliminate Accept Control

Accept)
8 Description of Action Purchase Unintentional Create regular
additional error by maintenance
devices to developer/devi schedules for
ensure there ce devices.
are enough manufacturer Physically track
for patients devices if
and required needed to
downtime monitor use
maintenance

1 Process Step Implement Update

2 Potential Failure Mode Update is not Nonvolatile Powered is
compatible memory has interrupted
with the been corrupted during
Process Step #9

device implementation
between
download and
implementation

3 Potential Cause(s) Oversight by Damaged Power failure in

manufacture hardware hospital

4 Severity Minor Moderate Minor

5 Probability Remote Remote Remote

Running head: CYBERSECURITY VULNERABILITIES IN HEALTH CARE
10

6 Hazard Score 1 2 1

7 Action (Eliminate, Control, or Control Accept Accept

Accept)
8 Description of Action Unintentional Failures are Failures are
error by often often
developer or uncontrollable uncontrollable
device or from or from external
manufacturer external forces forces
; Improve
manufacturin
g testing to
help control;
hospital
should test
update on
select
devices first
before rolling
out to all
devices

1 Process Step Did device update successfully?

2 Potential Failure Mode Failure to Implementatio
recognize if n of update
updated renders device
successfully
unusable
Process Step #10

3 Potential Cause(s) Defect in Defect in

firmware firmware
update update;
hardware
failure
4 Severity Minor Moderate
5 Probability Remote Uncommon
6 Hazard Score 1 4

7 Action (Eliminate, Control, or Control Control

Accept)
Running head: CYBERSECURITY VULNERABILITIES IN HEALTH CARE
11

8 Description of Action Improve Improve

manufacturer manufacturer
testing to testing to help
help control control defect;
defect; hospital should
hospital test update on
should test select devices
update on first before
select rolling out to all
devices first devices
before rolling
out to all
devices

1 Process Step Revert to previous version

2 Potential Failure Mode Implementati Revert to Previous
on of update previous version is too
renders version fails old to
device participate in
implementation
unusable OTA update
process
Process Step #11

3 Potential Cause(s) Defect in Defect in Insufficient

firmware previous update period
update device
firmware
4 Severity Moderate Minor Minor
5 Probability Uncommon Uncommon Remote
6 Hazard Score 4 2 1

7 Action (Eliminate, Control, or Control Control Control

Accept)
Running head: CYBERSECURITY VULNERABILITIES IN HEALTH CARE
12

8 Description of Action Improve Improve Create regular

manufacturer manufacturer maintenance
testing to testing to help schedules for
help control control defect; devices.
defect; hospital should
hospital test update on
should test select devices
update on first before
select rolling out to all
devices first devices
before rolling
out to all
devices

1 Process Step Report update failure to OTA server

2 Potential Failure Mode OTA client Device doesn't Devices are
on the device have network powered off for
is not connectivity an extended
compatible period of time
with version
of the OTA
server
3 Potential Cause(s) OTA server Network Devices are not
Process Step #12

update more outage at in use

recently than hospital
device
4 Severity Minor Minor Minor
5 Probability Remote Uncommon Occasional
6 Hazard Score 1 2 3

7 Action (Eliminate, Control, or Control Accept Control

Accept)
8 Description of Action Create Failures are Create regular
compatible often maintenance
update uncontrollable schedules for
schedules for or from devices. Retire
OTA Server external forces devices that are
and devices no longer used