Protecting intellectual property (IP) has always been a priority for medical device manufacturers, as competitors and even governments constantly attempt to compromise or steal intellectual property. For example, in January 2019, a Chinese national who stole secrets while working for medical device companies including Medtronic and Edwards was sentenced to more than two years in federal prison. Over time, Wenfeng Lu had copied many documents belonging to his two employers that contained technical information and trade secrets, took them home, and placed them on his personal laptop. He was arrested as he was about to board a plane for the PRC.
It has never been easier or more profitable to hack devices for their IP address. More and more medical devices have evolved from mechanical devices with limited software to devices packed with software. Companies spend billions of dollars on R&D for years and years, only to leave vulnerabilities in device software and firmware, opening the door for hackers to come in and steal their IP address. Something is seriously wrong with this scenario.
Sometimes the vulnerabilities are created during the development process, and sometimes they are part of the components received from their supply chain vendors. The shortage of parts and components caused in part by the pandemic amplifies the challenge. This drives many manufacturers to look for alternative suppliers who can produce regular supplies. With new vendors comes the added risk of new untested components and the potential for many new threats and vulnerabilities.
Organizations that want to protect their IP address from theft and misuse must do a much better job of securing the devices they produce.
What’s at stake
Stolen IP allows hackers to redesign and sell the same device with a fraction of the R&D investment. Wenfeng Lu, for example, had secured funding and was preparing to open a company in the PRC that would manufacture devices used to treat vascular problems and use technology he had stolen from his US employers, according to court documents.
The US Intellectual Property Theft Commission estimates that the annual costs of intellectual property loss range from $225 billion to $600 billion. Intellectual property infringement can significantly affect a company’s revenue and put downward pressure on its prices. If a competitor steals a company’s product trade secrets, they can beat that company to market with a new and innovative product, thereby reducing the victim’s market share.
Medical device companies face a very competitive environment, which increases the incentive for intellectual property theft. Intellectual property theft using online hacking techniques has become more widespread and harmful due to low costs, difficult attribution and the ability to hack into systems remotely.
The device is the target
While it is true that IP can leak from insider sources and insider threats, IP is increasingly being hijacked by cyberattacks on the device itself. For example, a recent case was reported in which a medical device engineering company in Massachusetts suffered hacking of the source code of its medical devices and its algorithms, which are essential for the operation of the devices. The devices reside at the customer’s site and can often be accessed, examined, and reverse engineered at the attacker’s whim.
New common vulnerabilities and exposures (CVEs) emerge frequently, and risk assessments are often only run sporadically during the development process, and not at all after product launch. This means that there are significant periods when devices are wide open to hacks, allowing hackers to steal software and firmware algorithms and disappear, without anyone ever knowing they were there.
Protecting intellectual property assets is a core business task. Protecting IP on a device requires a holistic approach to device security. Locking down interfaces, as well as protecting software code and firmware, is critical to defending against IP theft. Although there is no guarantee of protection, the goal is to increase the level of difficulty to the point where there are many more obstacles, and more time and money needed to hack the device .
It is imperative that medical manufacturers defend against intellectual property theft, including targeted cyberattacks. To protect intellectual property, companies need product security systems that automatically and continuously monitor medical device software and firmware, discovering known and zero-day vulnerabilities.
The software and firmware running the device is a valuable target for attackers. Adding layers of protection to make code less accessible to attackers is key to securing intellectual property. This includes finding errors in the code that could allow attackers in, encrypting data and storage, and using obfuscation techniques to make reverse engineering more difficult.
Manufacturers should conduct ongoing vulnerability assessments of software deployed on medical devices, using vulnerability databases. They should make sure the cybersecurity platform they enlist is also capable of detecting zero-day vulnerabilities. Monitoring must extend over the entire life cycle, from design to end of life of the device. The solution should also be able to produce a Software Bill of Materials (SBOM) or Cyber Bill of Materials (CBOM) and remediation options for any discovered threats or vulnerabilities.
One of the most effective ways to secure a device’s IP address is to eliminate the easiest method of hacking the device, known vulnerabilities. Attackers scan targets for known, published vulnerabilities to use as starting points for attacks. Vulnerability management requires continuous monitoring of threats and vulnerabilities throughout the product lifecycle. Late discovery or failure to appropriately remediate discovered vulnerabilities can lead to costly callbacks and negatively impact brand and bottom line.
Vulnerability monitoring is not about taking a single SBOM or CBOM snapshot, but product security teams should establish ongoing processes and policies to proactively and collaboratively manage cyber threats in medical devices with their development teams and their suppliers. They need visibility and understanding of the brand and characteristics of their software asset inventory, reliable and timely vulnerability data, automated workflows, which will support cybersecurity within the organization and ongoing management vulnerabilities long after medical equipment has been sold and deployed. Having these protections in place may not provide an airtight seal against attack, but it will certainly make it much more difficult for the hacker to gain access and cause damage.
Learn more about Cybellum at www.cybellum.com.