How to ensure your medical devices are protected

Web content editor, Ian Bolland, caught up with Natali Tshuva, co-founder and CEO of Sternum, an Israeli-based company which offers cybersecurity protections for medical devices.

Tshuva explained Sternum aims to provide its solutions to device manufacturers so they can embed security on the device itself during the manufacturing process. This embedding of protection means that the company focuses on exploitation rather than device vulnerabilities. 

Explaining more about the company’s focus, Tshuva said: “Our main focus is IoT, high value devices which are part of a managed network. A good example for that is homecare medical devices like pacemakers and insulin pumps which don’t have security as part of their hospital network because the patient goes home with them. This is a good example of where Sternum’s technology can be embedded inside the device itself to keep it safe during the lead time, institution and operation of the device.

“Every operation on the device itself is being filtered and monitored by our technology. You can describe it as ‘on-device firewall’ because it’s basically checking and monitoring every operation and allowing all the legitimate operations to happen on the device.

“Our solution is integrated at the research and development stage. Once installed, the device manufacturer has the ability to build new firmware, with our protection already embedded. Once this protected firmware is created, all devices – including post-market devices – can receive relevant updates with the enhanced firmware.

“This process is automatic so when new code and functionality is added, it will also be protected by our EIV solution. Our solution works with pre-market and post-market devices, and fits all existing operating systems, hardware, and resources. The same code is implemented to all devices within a managed, or unmanaged, network.” 

The company contains personnel from a background of cybersecurity, defence and understanding how attackers work – with some receiving training from an Israeli intelligence unit – but with a shared desire of having an effect on the medical industry in some form.

“When we started studying medical devices and the medical industry in general, we discovered this need to secure this connected healthcare. This is what drew us to find the company.”

While cyberattacks on medical devices are becoming more prominent, Tshuva believes there is an increased effort from manufacturers to guard against such threats – and feels that a rise in cyberattacks is a knock-on effect of devices becoming more connected –comparing it to a time when the internet started to become more mainstream where similar issues developed.

“In order to deal with such scale of events and more sophisticated attacks, medical device manufacturers need some advanced solutions – probably not developed in-house to handle this advanced security threat on devices.

“The connected healthcare revolution is happening and we’re seeing more medical devices being connected to enable remote care and remote monitoring of patients. Once devices get connected, they automatically become more vulnerable and more attractive to hackers – whether it’s for stealing sensitive information or to perform ransomware attacks on manufacturers or hospitals.

“There are devices that are under or within the hospital perimeter and there we can see fusion pumps and MRI machines and ECG machines – some of them are IoT devices and they’re vulnerable at the same level as remote medical devices like pacemakers and insulin pumps.

“The difference is that hospitals have their own defence mechanisms like a firewall or other security solutions to secure the hospital network itself. When we talk about distributed medical devices like pacemakers and insulin pumps, they are both vulnerable and lack the network security solution to help secure them. I think that you can think of them as the more vulnerable devices.”