Industries
Aviation
Automotive
Defence
Energy
Finance
Government
Medical devices
Railway
Space
Our world
Our purpose
Culture & history
Our people
Our code
Partners
Quality promise
Expertise
Artificial intelligence
Cyber security
Digital transformation
Safety management
Systems & software development
Testing
User experience design
What's new
Careers
Join us
Life at Critical
Contacts
Downloads
Legal
en
pt
de
Critical Software
Critical Software
Critical Software
Critical Software
Blog

Memory Safety in Medical Devices: Understanding and Mitigating Critical Vulnerabilities

January 17, 2025

Explore the growing cybersecurity challenges in medical devices, with a focus on mitigating memory safety vulnerabilities. Learn how proactive strategies and solutions like Runtime Application Self Protection (RASP) can enhance security and protect patient safety.

Critical Software Image

RunSafe Security and Critical Software are partners in delivering comprehensive safety and security solutions for critical sectors in Europe and the US.

Author: Doug Britton, EVP and Chief Strategy Officer, RunSafe Security


Cybersecurity for medical devices has become a growing focus in recent years. As devices become more complex and connected, the opportunities for a successful attack or breach are only increasing. Embedded medical devices in particular have to consider the security of the software that allows these devices to operate.


In both the United States and the EU, we’re seeing new regulations that require medical device manufacturers to consider cybersecurity throughout the entire lifecycle of a medical device, from design and development to postmarket vulnerability management. 


One critical, but often overlooked, cybersecurity challenge within medical devices, particularly legacy medical devices written in C/C++, is the prevalence of memory-based vulnerabilities within software. Memory safety is such a widespread issue that one of the key aspects of Secure by Design from CISA in the United States is to address memory safety issues in embedded devices.


How big is the memory safety problem for medical devices and how can software manufacturers tackle it?



Memory Safety in Medical Device Software


Memory-based vulnerabilities present a significant risk to embedded medical devices. These vulnerabilities occur when software misuses legitimate code in memory, potentially allowing attackers to disrupt or takeover normal device operations. The implications are alarming: imagine an insulin pump operating at the wrong flow rate or an MRI machine producing incorrect results.


Legacy medical devices in particular are most susceptible to memory safety issues. The prevalent integration of these legacy systems into contemporary healthcare settings leaves the door open for attackers to impact patient care and the continuous operation of critical services.


In one example, Critical Software and RunSafe Security identified over 2,000 vulnerabilities in the legacy equipment of a medical device company. A significant number of these vulnerabilities were memory safety related and were high severity.



Mitigating Memory Safety Vulnerabilities in Medical Devices


There are several approaches medical device manufacturers can take to mitigate memory safety vulnerabilities:

  • Implement a secure development lifecycle and follow Secure by Design guidance
  • Leverage Software Bill of Materials (SBOMs) to enhance vulnerability identification
  • Rewrite code into memory safe languages
  • Implement proactive security solutions designed to mitigate memory safety issues

Because it is so important to secure medical devices through each phase of the device lifecycle, including postmarket, proactive solutions like Runtime Application Self Protection (RASP) make it possible to stop attackers from exploiting memory vulnerabilities even before a patch is available. 


RASP solutions allow software in already deployed devices to defend itself, mitigating memory-based vulnerabilities when they appear. This reduces the need to perform constant software patching, minimizing operational disruptions and protecting devices between software upgrades.


Remember our example above? The medical device company decided to assess the effect that applying RunSafe’s memory protection solution for embedded software systems would have on their attack surface and were amazed to find out that:

  • 44% of vulnerabilities were immediately mitigated after applying RunSafe technology
  • 71% of the most critical vulnerabilities were mitigated
  • 100% of Memory Safety vulnerabilities exploitable at runtime were mitigated



Key Takeaways for Medical Device Manufacturers


As the software supply chain for medical devices becomes increasingly complex, memory safety will continue to be a crucial consideration. By adopting proactive, comprehensive security strategies, manufacturers can protect both patient safety and device reliability.

  1. Prioritize memory safety as a critical security concern
  2. Integrate security testing throughout the development process
  3. Consider advanced mitigation technologies
  4. Maintain transparency about potential vulnerabilities
  5. Plan for ongoing security management throughout the device's lifecycle

The future of medical device security lies not just in identifying vulnerabilities, but in creating adaptive protection mechanisms that can anticipate and neutralize potential threats before they cause harm.


For more on cybersecurity for medical devices, tune in on demand to our webinar featuring Afonso Neto from Critical Software and Doug Britton from RunSafe Security.

View webinar