How can medical device manufacturers prevent cyberattacks?

Ian Bolland, editor of MPN’s sister title, Med-Tech Innovation, caught up with Rusty Carter, VP product management at Arxan Technologies, about the steps that medical device manufacturers are and should be taking to prevent against cyberattacks.

Following an interview three years ago with Rapid Life Sciences, Carter reflected on whether there was any great change during that period in the way device manufacturers were approaching protecting their devices, and what more there was to do.

He said: “I think the number of companies that have changed their behaviour is relatively small although I would say that it’s more on the very high end of those manufacturers.

“The good news is that the manufacturers that are developing medical devices are very concerned about patient safety, and as it pertains to their devices, both from a clinical standpoint but also now from a security standpoint. I talk to a lot of manufacturers that are either starting to adopt security controls, especially within the software, or they are asking me lots of questions about the threats that they face.”

Carter also explained that device and hardware manufacturers face a number of IT and software development challenges, and that relying on third party providers in the manufacturing process is a critical element.

With the number of connected devices continuing to rise, Carter feels that nothing can be taken for granted when it comes to their safety.

He continued: “We assumed that the clinical setting is safe and that’s no longer the case. Assuming that your medical device is always in a hostile environment, and assuming any system that receives data from that device can’t necessarily trust that device; that kind of mutual authentication and that integrity across those interfaces is really important because the data becomes as critical as the physical device.

“The interface between the physical device and the mobile device that is controlling it is definitely a big potential risk because the mobile device, they’re no longer coming from the medical device manufacturer.

“Super computing platforms like iOS and Android, the phones are so powerful they can do a lot, but they’re open to a lot of other software. They’re open to compromising of the operating system, manipulation of the software and other applications.”

Carter explained that two ways of providing security paths for such devices where they include proper code - and Arxan comes into, to strengthen the protection so it is harder for the device to be reverse engineered or tampered with.

“If security and developer teams look at their entire life cycle there are multiple points of interaction along that continuum and necessary feedback loops, you run source code analysis to find problems in the software, the most valuable piece of something like that is the information it provides back.

“As the application leaves the control of the developers, having that software feedback information into the operations of the business is critical and to give them visibility about the functioning and the security of the application.

“Ultimately the medical device manufacturer is going to be accountable for any risks and any potential damage and they’re in the business to help people. The clinician is not going to ask the patient if their device is rooted, what applications they also have on their device, is their application running the way it should – that’s not their area of expertise. Also, the manufacturer has that responsibility to the patient to ensure their safety and for them to understand how their application is performing in that interaction between the clinician and the patient. To get that feedback, both as to how the application is performing from a clinical and a security point of view, is really critical.”