Security Experts:

Curing The Security Sickness in Medical Devices

Just as the rapid development of the Internet of Things (IoT) has transformed traditional industries and service sectors, it is also having a great impact in the world of healthcare. It’s easy to argue, in fact, that no area is being transformed by digital technologies as rapidly or with as many benefits for society as new medical technologies.

But the understandable desire to press ahead and unlock those benefits has led to a lack of scrutiny on the subject of digital security in devices for treatment and monitoring, and a spate of high profile problems in the area has begun to concern many. In the US, the Food and Drug Agency (FDA) has issued formal warnings about cybersecurity vulnerabilities in four separate products in the last 18 months. It has also hosted an array of consultations and workshops focussing on the cybersecurity of medical devices. The most recent product notice from the FDA, regarding an exploitable flaw in connected cardiac pacemakers, seems to be finally waking the industry up to the threats that connected technologies bring.  

Fortunately, there are solutions which can allow healthcare innovation to continue unimpeded, and plenty of lessons that can be learned from experiences in other areas. The rulebook for minimizing the risk of unauthorised access, and limiting potential damage in the event of a device being compromised, is broadly the same as protecting other connected and operational technologies: better collaboration, lifecycle management, network monitoring and a “secure by design” ethos to new products.

Medical Device CybersecurityWhat we don’t have is time: securing medical devices is a life and death issue, and most in the field fear that a new major attack is imminent. Vendors, practitioners and security experts must all work closely together to combat the well-funded actors who pose a threat.

Connected healthcare

The benefits of connected medical devices are unquestionable, with much progress being made in terms of treatments and cures. For example, we’ve already seen low cost blood sugar monitoring implants that can synchronize with a smartphone  to help diabetics manage their condition. Networked X-ray and ultrasound machines that can deliver instant images to a practitioner’s desktop are also speeding up diagnosis and treatments in emergency rooms from Seattle to Singapore.

The problem is as medical devices have become increasingly connected, they have also become exposed to an array of potential security flaws. This connectivity and the benefits it has bestowed upon us, such as remote monitoring and data gathering and analysis, has brought with it new risks. 

The most obvious is that of a direct attack on a medical device over the internet, but even restricting access to a hospital’s network, for example, doesn’t guarantee safety. When devices are connected to hospital networks they also become potentially vulnerable to indirect attacks.

When the WannaCry ransomware shut down large sections of the UK National Health Service’s IT systems earlier this year, it was aiming to disrupt services in order to achieve ransom payments on behalf of its creators. While not directly targeting medical devices, this does highlight the possibility that a future attack on hospital IT systems could use compromised desktops to infect the connected medical devices being relied upon to keep us alive. 

The reverse scenario, in which a poorly secured medical device acts as a gateway to IT infrastructure and patient records, is no less troubling. 

The diagnosis

Healthcare providers should be well aware of these dangers as security experts have been warning of them for many years. At the very least, medical device manufacturers need to be conscious of the legislative work around the world that is aimed at enforcing better protection of networks and systems. Close reading of new data privacy and breach disclosure laws will help encourage good practice, and in the US the FDA has strict requirements around public safety and is acutely aware of the issues, as demonstrated by the recent pacemaker recall.

To help meet these compliance obligations and secure the safety of patients, the security industry and medical device manufacturers must develop closer relationships, ensuring that new devices are manufactured with best-practice defences baked in.

The ability to identify and react to new and emerging threats in a timely manner is tough, but not insurmountable through proper collaboration. There are many lessons that have been learned from other sectors and industries that can be applied to the emerging threat landscape in healthcare.

For new devices, mitigating the risk to both the business of medical provision and the quality of patient care begins with a solid framework for managing devices and applications. This is achieved using a secure by design concept in which medical devices go through a Secure Systems Development Lifecycle (Secure SDLC) program.

In a traditional SDLC process, a project is mapped out from scoping the requirements, through design, development, testing and deployment. A Secure SDLC framework brings in security concerns at the very beginning of the process, and risk assessments happen at the very earliest stages of development. Threat models are refined and incorporated into design, while security testing is as important and conducted as early on as user experience and other assessments in a traditional approach.

The aim is to maintain and monitor products throughout the entire period that they are in use, in a manner suitable for their application. One unique challenge for medical devices, for example, is that in many situations offline updates to fix security flaws are not an option. There is no acceptable failure rate for patching an implanted pacemaker. These are challenges that must be compensated for early on.

We know that bad actors will always find new exploits and methods of attack, so part of the Secure SDLC process includes future vigilance for unexpected behaviors which could indicate a novel threat has been found.

In terms of the infrastructure for connected medical devices, more care needs to be taken with proper network segmentation. This will help reduce the risk of unauthorized access or cross-infection from IT systems, and will further secure new devices and help protect the many legacy devices out there. Done correctly, this doesn’t mean any less convenience – those X-rays will still make it to the GP’s desk at speed – but the extra steps of protection must be in place.

The right resources to safeguard life-saving new technologies to the best of our current ability are available, and both the will and incentive to implement them are there. Time, however, before the next attack on our healthcare systems, is likely to be short, and we all need to be prepared.

view counter
Jalal Bouhdada is Founder and Principal ICS Security Consultant for Applied Risk. He has over 15 years’ experience in Industrial Control Systems (ICS) security assessment, design and deployment with a focus on Process Control Domain and Industrial IT Security. Jalal has led several engagements for major clients, including many of the top utilities in the world and some of the largest global companies in industry verticals including power generators, electricity transmission providers, water utilities, petro chemical plants and oil refineries He holds a B.S degree in Security Assurance from Amsterdam University of Applied Sciences and is an active member of the Industrial Internet Consortium (IIC), ISA99, NEN, CIGRE and other professional societies.