Mike Pittenger, Black Duck Software, advises device manufacturers on how medical device security can be extended to open source.
Testing for security vulnerabilities in medical devices rarely happens, according to a 2017 report by the Ponemon Institute, sponsored by software security firm Synopsys. The report found that over half of healthcare delivery organisations do not test for security issues or are unsure whether testing occurs. 36% of device makers do not test already-released medical devices to find new or previously unidentified vulnerabilities.
Over two million patients in the United States have implanted devices, including pacemakers and implantable cardioverter-defibrillators (ICD). More than seven million patients benefit from remote monitoring and connected medical devices part of their care. In the United Kingdom, as many as 39,000 people are fitted with pacemakers annually.
Visibility of security of devices is critical
Security threats to medical devices present a risk to safety. If a device has open, unused communication ports, an attacker could upload unauthorised malware which could compromise the device’s clinical performance. A vulnerability discovered in a pacemaker could result in its being reprogrammed by an unauthorised user. The end result could be a life-threatening injury or death.
For example, a research team found it could reprogram a patient's ICD. The researchers were able to instruct the device not to respond to a cardiac event, such as an abnormal heart rhythm or a heart attack. They also found a way to instruct the ICD to initiate its test sequence – delivering 700 volts to the heart – whenever they wanted.
While there has yet to be a documented incident in which the code of a medical device was breached to conduct an attack against an individual, medical devices in hospitals are often riddled with malware, which can disrupt patient-monitoring equipment, sometimes rendering the devices inoperable or becoming a entry point for the theft of private healthcare information.
In May 2017 a global cyberattack put lives at risk by paralysing computers at National Health Service (NHS) facilities across the UK. Thousands of operations and appointments had to be cancelled as the WannaCry malware threatened to delete files unless ransoms were paid.
Visibility into the security of the components used in medical devices is critical, as is security testing. Just as important is continuous monitoring of those components for new vulnerabilities, including establishing a process for:
- Identification and detection of cybersecurity vulnerabilities and risk
- Understanding, assessing and detecting the presence and impact of a vulnerability
- Plans to eliminate the vulnerability and respond to regulatory or market requirements
- Compensating controls, such as Web Application Firewall or Intrusion Protection System rule, to mitigate the risk of those vulnerabilities
A major driver of the technological revolution in medical devices is software, and that is built on a core of open source. A study conducted by Black Duck’s Center for Open Source Research & Innovation (COSRI) found that the average commercial application included almost 150 discrete open source components, and that 67% of the 1000-plus commercial applications scanned for the research included vulnerable open source components.
Healthcare and life sciences software use a large amount of open source. The COSRI study cited found the average application in this market was comprised of 46% open source – almost half the code base. Healthcare, health tech, and life sciences applications had the highest concentration of open source of any industry!
With this level of open source, added to the fact that over 2,000 new vulnerabilities are disclosed in open source components every year, these applications warrant security scrutiny. To defend against open source security risks, medical device OEMS and suppliers should:
Fully inventory open source components. A full and accurate bill of materials of the open source used in applications is essential.
Map open source against security vulnerabilities. Manufacturers must determine if the open source components they use are vulnerable to security exploits.
Establish processes to receive timely alerts on new security threats. Given the number of new open source vulnerabilities discovered and disclosed every year, medical device manufacturers need to continuously monitor for new threats as long as their devices remain in service.
Open source lowers development costs, speeds time to market, and accelerates innovation. However, visibility and control over open source are essential to maintain security and code quality of medical device software and platforms.