Alan Grau, Icon Labs looks at issues surrounding medical device security
Medical devices perform critical functions in surgery, inpatient hospital care, and clinical settings. They even play an increasing role in home health care. Millions of people rely on medical devices to stay alive and millions more depend upon them to improve the quality of their lives.
Few people however, think about safety and security. These devices rely on specialised computers to control their operation. They often have a computer embedded within the system, that not only controls the operation of the medical device but also provides communication capability allowing remote reporting, diagnostics and control.
Remote communication enables continuous patient monitoring, remote diagnostics allows doctors to view patient information without requiring an office visit and provide significant convenience and cost savings. However, these same communication capabilities can expose the devices to a host of cyber-threats.
The cyber threat
There have been a number of well-documented security vulnerabilities involving medical devices. Perhaps the most startling of these was a report on June 13, 2013 from ICS-CERT (Industrial Control Systems Cyber Emergency Response Team) that listed over 300 devices that relied upon hard coded passwords. These can permit hackers to easily gain control of the devices and make it impossible to update the passwords to block future attacks. According to its report, the vulnerability could be exploited to change critical settings and/or modify device firmware. The vulnerability affected a range of devices including:
Surgical and anaesthesia devices, ventilators, drug infusion pumps, ventilators, external defibrillators, patient monitors, laboratory and analysis equipment.
This issue was so severe that it prompted an alert by the FDA and Department of Homeland Security containing security guidance for medical device manufacturers.
Security challenges
Medical devices are very different from standard PCs. They are fixed function devices designed to perform a specialised task and often run a specialised embedded operating system instead of Windows or Linux. Installing new software on the system in the field often requires a specialised upgrade process or is simply not supported. These devices are optimised to minimise processing cycles and memory usage and do not have a lot of extra processing resources available. PC security solutions won’t solve the security challenges of these devices.
Challenges for medical device security include:
Critical functionality - medical devices control life-enabling systems and manage sensitive data.
Replication - medical devices are mass produced. A successful attack against one of these devices can be replicated across all devices.
Security assumptions - many medical device engineers have not considered security a critical priority.
Not easily patched - most medical devices are not easily upgraded. Once they are deployed, they will run the software that was installed at the factory.
Long life cycle – this can be as long as 20 years. Building a device that will stand up to the security requirements of the next two decades is a challenge.
Deployment - medical devices may be mobile or may be deployed in the home, environments lacking the protections found in a corporate environment.
There is no one one-size fits all security solution for medical devices. Engineers must take into consideration the cost of a security failure (economic, environmental, social, etc.), the risk of attack, available attack vectors, and the cost of implementing a security solution.
It is critical that security is built into the device itself so the device is not dependent on the corporate firewall as its sole layer of security and security can be customised to the needs of the device. This require security software designed for use in embedded devices. Security features must be considered early in the deign process to ensure the device is protected from the advanced cyber-threats they will be facing.