As Medtech Goes Wireless, Learn How to Mitigate Security Risks

"When it comes to wireless data communications in the medical device sphere, we always have to address an element of serious risk," remarks Steve Abrahamson, director, product security engineering at GE Healthcare (Milwaukee). "However, there are processes that we can apply to make sure that we're managing the risk." This is one of the messages that Abrahamson, together with Geoffrey A. Pascoe, specialist master at Deloitte, will deliver at MD&M East in a joint presentation titled "Addressing Data Security Concerns of Wireless Medical Devices."

"For any type of wireless or mobile device, GE Healthcare follows a multitiered risk-assessment process," Abrahamson explains. "This process includes baselining, whereby we look at the device's function, intended use, and such risk characteristics as whether it's mobile, wireless, remotely accessible in some way, a storage system for patient data or a device with a high level of medical urgency. Second, we look at the specific risks associated with privacy--in other words, whether the data flows associated with the device contain certain personal information. Third, we assess whether any remaining cybersecurity risks may not be covered in the first two steps."

While the first step of the risk-assessment process involves looking at general factors, the next two steps tailor the risk level to more specific aspects of the device, such as specific data flows and other risks associated with it, Abrahamson says. In these steps, the company tailors a control set to the risk level of the device. To do so, it uses an accepted standard such as NIST SP 800-53, "Security and Privacy Controls for Federal Information Systems and Organizations." In addition, related standards can be used to incorporate other types of controls not covered in NIST SP 800-513. "The purpose of these standards is to match the risk assessment to a control list," Abrahamson comments. "Some of these controls are specific to wireless technologies. It's important to pull these controls into your design input."

Key considerations for wireless medical devices include ensuring that appropriate methods are in place for establishing connections and ensuring that communications take place on an authenticated and authorized device. It is also necessary to consider the potential loss of proprietary information that may reside on the device and to protect against the possibility that an intruder might modify the integrity of the data or the device function.

One method for accomplishing these objectives is code-check technology, Abrahamson says. From a safety perspective, one of the key risks is that someone might disrupt the code. Thus, such mechanisms should be implanted as checksums, antidebugging mechanisms, and authentication mechanisms. "For example, if you use an Apple mobile device, you need something to detect whether it's been jailbroken. There are various ways of building code checks into the device to ensure that the code is executing properly. That's going to enhance the safety posture."

To ensure the security of a mobile x-ray machine, GE Healthcare subjected it to a risk assessment. A movable device that stands several feet tall and is positioned on a cart, this machine can be wirelessly connected to a hospital network to support mobility. Alternatively, if the hospital doesn't have wireless capability or it considers wireless connectivity to be too risky, it can use the machine in tethered mode. Either way, the device is subjected to a baseline analysis based on its functional and other characteristics, such as its ability to store a certain number of patient records and its high level of medical urgency.

"These and other factors position the machine in a high-baseline category," Abrahamson comments. "The way that we have defined our baseline, a high-risk baseline automatically maps to a set of about 120 controls from the controls catalog. Then, we conduct the next two steps--a privacy and a security risk assessment. Finally, we pull in an additional 10 to 20 security controls based on the specifics of the device. All told, we end up with a set of approximately 130 to 140 specific design inputs that mitigate the security risks associated with the machine." Some of these inputs, Abrahamson adds, are specific to wireless data flows, while others are linked to such attributes as access and audit controls. But within the control set, the company picks up controls to mitigate risks associated with specific functions.

The risks associated with implementing wireless communications cannot be eliminated entirely, Abrahamson concedes, but the application of a logical method such as a risk assessment can help medical device manufacturers to identify the risks and apply appropriate controls for mitigating and containing them at a manageable level. And while the wireless sector, including mobile medical devices, introduces additional attack surfaces and risks, recognizing them will enable device makers to address them by implementing controls in the design process. --Bob Michaels

Bob Michaels is senior technical editor at UBM Canon.