Recent reports have revealed alarming cybersecurity vulnerabilities within U.S. telecommunications networks, with Chinese state-sponsored actors exploiting weaknesses to gain access to sensitive communications infrastructure. These revelations underscore an unsettling reality: while many medical devices operate within local hospital networks, a growing subset relies on direct or indirect connections to public LTE/5G networks for remote maintenance, to support specific clinical functions, or in evolving home care delivery models.

Although most devices are designed to operate independently or via local Wi-Fi and Bluetooth even when public network connections are disrupted, the increasing reliance on mobile connectivity introduces new risks. According to the FDA, the agency regulates more than 190,000 distinct medical devices across a wide range of categories. With advances in 5G, edge computing, and other innovations, the number of connected medical devices is projected to skyrocket to nearly 50 billion by 2030, exponentially increasing the healthcare sector’s attack surface.

The Threat Landscape

A recent FBI and CISA investigation revealed that Salt Typhoon, a Chinese-linked cyber espionage group, continues to compromise U.S. telecom networks months after initial intrusions were discovered. These bad actors are exploiting known infrastructure vulnerabilities to access sensitive information, such as call records and text messages, with a particular focus on high-profile targets in the Washington, D.C. area.

The implications for the healthcare industry are significant. While the majority of many connected medical devices operate within local hospital networks and do not rely on telecommunication networks, a subset of devices uses these networks for specific functions such as remote monitoring or maintenance. For these devices, a successful compromise of telco networks could lead to breaches of confidentiality, potentially exposing sensitive patient data. However, most devices are designed to continue functioning safely via local connectivity or standalone modes, reducing likelihood of direct impacts to patient safety.

Cybersecurity Lessons from Telecommunications

The Federal Communications Commission (FCC) recently proposed new measures in response to Salt Typhoon’s revelations. These measures include requirements for telecommunications carriers to submit annual cybersecurity certifications and implement robust risk management plans. The FCC’s focus on securing infrastructure, such as public 5G networks, submarine cables, and emergency alert systems, highlights the need for a similar coordinated effort in other critical infrastructure industries, such as the healthcare sector. However, healthcare’s unique infrastructure and industry composition require tailored actions to address its specific weaknesses and risks effectively.

FCC Chairwoman Jessica Rosenworcel emphasized the urgency of these efforts, stating, “As technology continues to advance, so do the capabilities of adversaries, which means the US must adapt and reinforce our defenses.” The healthcare industry can draw parallels from these actions, recognizing the shared responsibility to secure interconnected systems. Achieving this will require a coordinated approach, with all stakeholders contributing to a cybersecurity framework designed for healthcare’s distinct challenges.

Cybersecurity Threat Landscape

Global agencies, including The Cybersecurity and Infrastructure Security Agency (CISA), National Security Agency (NSA), Federal Bureau of Investigation (FBI), Australian Signals Directorate’s (ASD’s) Australian Cyber Security Centre (ACSC), Canadian Cyber Security Centre (CCCS), and New Zealand’s National Cyber Security Centre (NCSC-NZ), have warned that People’s Republic of China (PRC)-affiliated threat actors have compromised major telecommunications providers’ networks as part of a broad cyber espionage campaign.

In response, these agencies have issued this “best practices” guide to help network engineers and communications infrastructure defenders harden their networks against exploitation by PRC-affiliated and other malicious actors.

A Call to Action for Healthcare Cybersecurity

In light of these threats, healthcare organizations must adopt a proactive cybersecurity strategy to protect their networks, infrastructure, devices, and sensitive patient data.

Strengthen Visibility and Monitoring

• Improve Asset Visibility: Ensure complete inventory of network-connected and stand-alone software-based assets and catalogue their respective security characteristics (Software Bill Of Materials includes Version and EOL information).
• Centralized Monitoring: Implement comprehensive monitoring systems to collect and analyze activity from individual devices and networks, enabling the detection of unauthorized changes, and identification of potential threats. Increased visibility at both the device and network levels aligns with FDA recommendations and enhances overall security posture.
• Threat Intelligence and Information Sharing: Participate in Information Sharing and Analysis Organizations (ISAOs) or Information Sharing and Analysis Centers (ISACs) to collaborate with peers and share threat intelligence. Such collective efforts improve awareness of emerging threats and foster a proactive, collaborative cybersecurity culture across the healthcare industry.
• Secure Administrative Access: Safeguard administrative access to all connected devices by replacing default and/or hardcoded credentials with strong, unique ones, especially for remote access and consider multi-factor authentication. Ensure that management traffic is encrypted to protect sensitive data, access activities are logged and reviewed, and unauthorized access is prevented.

Harden Systems and Networks Against Exploitation

• Segment Networks: Ensure that devices are separated into appropriate network segments based on device function, integration needs, and criticality.
• Strict Access Control: Implement robust access control measures, similar to those recommended for telecommunications systems, to limit exposure to external threats. For instance, segmenting critical systems from public-facing and general enterprise networks can significantly reduce attack surfaces and improve overall security.
• Encryption & Device Authentication: Incorporate encryption and authentication protocols in the device design early in the lifecycle to safeguard sensitive data and prevent unauthorized access. This applies equally to human users, such as administrators accessing devices, and service-type or automated “users,” like applications and processes that communicate across networks as well as other devices and device-supporting internal and external backends. Leveraging solutions like the Medcrypt Guardian Platform for cryptography can streamline compliance with industry best practices and enhance both user and machine-level security.
• Regular Updates: Consistently update firmware and software to patch known vulnerabilities, especially those that have active/known exploits, a key recommendation from both CISA and the FBI, to defend against emerging threats and maintain system integrity.

Prepare for Incident Response

• Incident Response Plans: Develop, practice, and maintain comprehensive incident response plans to address potential security incidents swiftly. This should include predefined and practiced fail-safe measures for critical devices and systems to ensure rapid recovery and minimal impact. See the Coordinated Healthcare Incident Response Plan (CHIRP) and Medical Product Manufacturer Cyber Incident Response Playbook (MPM CIRP) from HSCC for incident repsonse resources.
• Define Roles and Responsibilities: Define resources, activities, and decision-making authorities of individuals supporting the IR process. This includes internal technical, clinical, and administrative resources as well as external resources such as vendors, ISAOs, or government agencies.
• Exercise your IR Plan: Once you have developed an incident response plan, test it out, make sure it works for the stakeholders who are expected to participate in a security event or incident response. This can lead to iterative improvements to the plan itself, and can also train your team proactively for response to incidents or events.

All of the above speaks primarily to the responsibilities of device operators, such as hospitals. However, these responsibilities are matched by a corresponding set of regulatory obligations for manufacturers as defined by the FDA, including ensuring compliance with cybersecurity regulations such as the PATCH Act and post-market guidance. For simplicity, these complementary responsibilities are acknowledged as part of the broader collaborative effort required between all stakeholders in the healthcare ecosystem.

Broader Implications and Next Steps

The healthcare industry cannot afford to overlook the risks presented by vulnerable telecommunications networks. As highlighted by CISA, these attacks are not sophisticated but rather exploit longstanding weaknesses. Similarly, the cybersecurity measures necessary to protect our healthcare infrastructure, including its medical devices, are within reach but require proactive effort.

Medical device manufacturers, standards development organizations (SDOs), and regulatory bodies must work together to fortify the connected medical ecosystem. For example, standards such as IEEE 2621 demonstrate promising progress in protecting connected diabetes devices or the recently released IEEE/UL 2933 “Standard for Clinical Internet of Things (IoT) Data and Device Interoperability with TIPPSS — Trust, Identity, Privacy, Protection, Safety, and Security”, which addresses the CIoT space broadly and thoroughly . Expanding such collaborative efforts to other connected medical devices is essential. By aligning mobile and medical industries with cybersecurity expertise, we can strengthen defenses across all interconnected systems.

Conclusion

The recent network intrusions by state-sponsored actors underscore the critical need for heightened cybersecurity across our critical infrastructure industries, including healthcare, and also highlight the challenges that medical device manufacturers and operators face. The vulnerabilities exploited in telecommunications networks reveal systemic weaknesses that also endanger connected medical devices and the sensitive data they transmit. Promising steps, such as the development of standards like IEEE 2621 or IEEE/UL 2933, highlight how cross-industry collaboration can address these challenges. However, greater synergy is needed between the mobile communications and medical device industries to align their efforts in securing interconnected systems. By fostering more comprehensive partnerships and leveraging cybersecurity expertise, we can establish a robust foundation for the protection of connected medical devices.

Now is the time for the healthcare, mobile, and cybersecurity ecosystems to unite in fortifying our defenses against emerging threats. Proactive collaboration among medical device manufacturers, regulatory bodies, and cybersecurity experts can help develop innovative solutions, enhance compliance with evolving standards, and ultimately safeguard patient safety. Through coordinated action, we can create a secure environment for connected medical devices, ensuring the health and well-being of those who depend on them.