Cybersecurity Challenges for Medical Devices

Cybersecurity Challenges for Medical Devices

Regulatory Guidance

The FDA recently published guidance recommending that device manufacturers develop security controls in the design of their products to limit malfunctions resulting from computer viruses and attacks, and maintain the confidentiality, integrity, and availability of the device information.

At the same time, the latest HIPAA regulations also require risk assessments and the implementation of administrative, technical, and physical safeguards for systems that contain protected health information (PHI).

Manufacturers need to have systematic mechanisms for providing security updates and use design approaches that safeguard proper operation and protect patient safety even when security has been compromised.

Manufacturers will need incorporate “security by design” concepts, conduct appropriate risk analysis, and use best-practice security testing and implementation techniques.

Cybersecurity Vulnerabilities

The Department of Homeland Security,  NIST, and other industry groups have highlighted multiple potential attacks on medical devices and implanted medical devices (IMDs).

Cybersecurity vulnerabilties put patients at risk and both the size of attack surface and number of incidents is increasing.

  • The VA has had 173 Medical Devices Infections since 2009
  • 300 medicial devices from a single manufacture where infected with the Conflicker worm
  • 4000 completely unsecured devices were remotely detected on medical networks worldwide – PACS, Cyberkife using a Shodan (Google like) search
  • In 2008,  a team of academic researchers,  working in a controlled setting, showed that they could remotely exploit a defibrillator by delivering a command, using the associated wand and programmer.
  • In 2011,  two security experts,  working in controlled settings, showed on separate occasions that they could also remotely exploit an insulin pump

Suggestions for Device Manufacturers

Manufacturers need to ensure Confidentiality, Integrity, and Accessibility Control of the devices they design.  Privacy and Safety concerns should also be considered.

  1. Include security threats and vulnerabilities in the Hazard/Risk analysis of their devices
  2. Design and Build for security from day 1 of development – “Secure By Design”
  3. Validate Inputs; Include robust error handling and recovery
  4. Conduct Fuzz and Vulnerability testing — negative test cases to remediate how the device performs when presented with unexpected or anomalous inputs
  5. Eliminate default backdoor passwords – use unique / complex passwords, or require facility to change password for each device
  6. Implement Logging Capabilities – in the event of a failure, the facility and manufacturer should be able to monitor and audit the device history
  7. Support, test, and/or include Anti-malware or Intrusion Detection technology in devices
  8. Digitally Sign Firmware/Code, Use Source Code Analysis Tools,  Support mechanisms for timely patching and updates of devices

Actions for Healthcare Facilities

There is a shared responsibility of both the healthcare institution and the medical device manufacture to ensure the security of medical devices.

  1. Include medical devices in the organization’s “security risk assessment” (as required by HIPAA)
  2. Require Medical Device manufacturers to provide a statement describing each medical device’s security features and installation recommendations, including anti-malware support. A recently updated industry standardized format for such disclosures is the HiMSS Manufacturer Disclosure Statement for Medical Device Security (MDS2) http://www.himss.org/resourcelibrary/MDS2?navItemNumber=21740
  3.  Isolate medical devices on a Virtual LAN (VLAN) and implement Centralized Log Monitoring to detect malicious activity and transmissions
  4.  Report medical device malware infections and/or security issues to the manufacturer and the FDA

Use of Encryption

Encryption is an important technique to keep sensitive health information and passwords private and out of reach of unauthorized individuals.

  1. Encrypt Sensitive Traffic and Wireless Transmissions
  2. Authenticate Devices and Users; Encrypt Passwords using one-way encryption
  3. Low Power and Ultra-Lightweight Cryptography is becoming available for bio-sensors and Implantable Medical Devices (IMDs)

– Hummingbird 2 http://eprint.iacr.org/2011/126.pdf
– PRESENT block cypher – http://www.kuleuven.be/english/news/ultra-lightweight-encryption-method-becomes-international-standard
– ALE – http://www2.compute.dtu.dk/~anbog/fse13-ale.pdf
– Blue Jay – http://eprint.iacr.org/2012/195.pdf

4. Future: Biometrics derived from the body may be used as part of the security/authentication mechanism –http://www.technologyreview.com/news/428755/biometric-bracelet-lets-a-medical-device-recognize-its-wearer/

Conclusion

Today’s Medical Devices, on the bench and in the body,  are often network connected and vulnerable to cybersecurity attacks — not addressing security in the design and testing process can put patients at risk.  Medical device software must satisfy system properties including safety, security, reliability, resilience, and robustness.

One Comment

  1. FDA Draft Guidance for Cybersecurity in Medical Devices | Double Helix

Leave a Reply

You must be logged in to post a comment.