|Policy-based filtering provides a critical missing layer of security for medical devices.|
Security vulnerabilities involving medical devices have been well documented. For example, in 2013, manufacturers shipped out more than 300 devices to customers with hard-coded passwords, which could have permitted hackers to gain control of the devices and make it impossible to update the passwords to block future attacks. Hackers could then have exploited this vulnerability to change critical settings or modify device firmware. The vulnerability affected a wide range of device types, including surgical and anesthesia devices, ventilators, drug infusion pumps, external defibrillators, patient monitors, and laboratory and analysis equipment.
The technological capacity to launch cyber attacks was demonstrated more recently when Kaspersky Labs announced that hackers—apparently the U.S. National Security Agency and the United States Cyber Command—inserted malware into the firmware of computer systems in Iran and other countries. Despite an operating system reinstall, the malware remained in place, enabling the hackers to discover encryption keys and crack encryption algorithms.
While bad actors continue to develop new and more sophisticated cyber attacks, many medical device manufacturers are failing to keep pace with the evolving threat landscape. Facing this challenge, manufacturers must take a new look at security and abandon the concept of ‘security by obscurity’ as the relic that it is. Ultimately, they must be willing to invest resources into building security into every new medical device while seeking ways to protect devices that are already in use.
Securitizing Critical Infrastructure Devices
From small to large and simple to complex, medical device products and system assets range from consumer gadgets to sophisticated hospital systems and are commonly designed to perform a range of specific tasks. Incorporating specialized operating systems such as VxWorks, Nucleus, Integrity, Freescale MQX, or a stripped-down version of Linux, they cannot accommodate new software or can do so only if they undergo an upgrade. And because many medical devices minimize processing cycles and memory use, they usually do not have the extra processing resources required to support traditional security mechanisms. Given the specialized nature of medical device technologies, standard PC security systems cannot protect them or even run on them.
To achieve IT security, large enterprises rely on the use of multiple layers of protection, including firewalls, authentication/encryption software, security protocols, and intrusion detection/intrusion prevention systems. Based on proven security principles, firewalls are well-established mechanisms, but they are largely absent from many medical devices and systems. Based on the assumption that medical devices are not attractive targets to hackers, that they are not vulnerable to attack, or that authentication and encryption can provide adequate protection, many manufacturers rely solely on simple password authentication and security protocols. However, these assumptions are no longer valid. As the number and sophistication of cyber attacks continues to rise, greater security measures are needed.
For more than 25 years, cybersecurity has been a critical focus for large enterprises. In contrast, it has become a focus only recently for most engineers that build embedded computing devices. “Experience is the best teacher, but the tuition is high,” according to the old saying. To avoid paying the tuition and ensure that their devices are secure, medical design engineers can take a page from the enterprise security playbook in order to:
- Create hardened devices with secure boot, authentication, and antitamper technology.
- Implement secure communication using security protocols and embedded firewalls.
- Enable device visibility based on remote command audits and event reporting.
- Improve security management using remote policy management and integrated security management systems.
- Develop policy-based filtering to provide a critical missing layer of security for medical devices.
What Does FDA Say?
|Table I: FDA provides guidance to medical device manufacturers for building security into their systems.|
To help ensure high levels of security, FDA has issued security guidelines for medical device OEMs that are designed to
- Protect devices from hackers and cyber attacks that may be launched from the Internet, inside the corporate network, or via Wi-Fi networks.
- Control the packets processed by medical devices.
- Protect devices against denial-of-service attacks and packet floods.
- Manage and control changes to filtering policies and other security parameters.
- Detect and report traffic abnormalities, probes, or attacks.
By building the capabilities presented in Table I into their medical devices, manufacturers will be able to meet the FDA security guidelines.
Many legacy medical devices and systems that are already in place have been manufactured using inadequate security measures. Upgrading these devices to improve security requires that the device manufacturer develop newer software or firmware versions incorporating improved security features. Once a new version is available, the devices can be upgraded to provide enhanced security.
|Icon Labs Floodgate defender provides a bump-in-the-wire solution to protect existing medical equipment and systems.|
Unfortunately, the upgrade process may be difficult, expensive, or impossible. For example, some devices cannot be upgraded without being returned to the factory. Others may no longer be supported by the manufacturer, or the company may no longer exist. Replacing such devices is often prohibitively expensive, while newer devices with enhanced security features may not yet be available.
Among the methods for upgrading existing medical device security systems are bump-in-the-wire solutions. Based on Layer 2 encryption, such solutions ensure platform independence, do not require special software or hardware to manage routing decisions, and require little configuration and maintenance. For legacy medical equipment and systems that cannot be easily or affordably replaced or upgraded, bump-in-the-wire solutions offer a means to ensure valid communication.
How to Build Security into Your Device
By building protection into a medical device and providing it with a critical security layer, it is no longer dependent on a corporate firewall as its sole means of defense against threats either malicious or unintentional. For medical device applications, security solutions must ensure that the firmware has not been tampered with. They must also secure stored data and secure communications into and out of the device, providing protection from cyber attacks. This objective can only be achieved by designing security into the device from the start. There is no one one-size-fits-all security solution for embedded devices, but customized systems are available that can meet specific device requirements.
Because today’s medical devices and systems are complex connected devices that are charged with performing a host of vital functions, including security in them is critical. Security features must be considered early in the design process to ensure that devices are protected from the advanced cyber threats they may face now and in the future.
Alan Grau is the president and cofounder of West Des Moines, IA–based Icon Labs. Reach him at [email protected].