Medtech Industry Has Far to Go before Achieving Data Security

Bob Michaels

September 18, 2013

9 Min Read
Medtech Industry Has Far to Go before Achieving Data Security

Coming Up:


November 5-7, 2013Westin Copley Place, Boston

With the proliferation of wireless communications capabilities, medical device applications--including implantable devices--are being drawn into the maelstrom. But how is the medical device industry bracing itself to meet the new challenges posed by wireless technologies? How is it addressing the crucial question of data security? These and other questions were the subject of an FDA document released in August titled "Radio Frequency Wireless Technology in Medical Devices--Guidance for Industry and Food and Drug Administration Staff."

On September 27 at MEDevice San Diego, Billy Rios, global managing director of professional services at Cylance (Irvine, CA), will offer insights into the issue of medical device data security. In the Q&A below, he shares some of the themes he will cover in his conference presentation titled "The Risk of Hacking and Patients' Health Data Security in Active Implantable Devices."

MPMN: For implantable medical devices, what are the trends in wireless technologies and how do you think these trends will impact data security and hacking dangers in times to come?

Rios: Previously, we used to have a bunch of basic communications protocols that were very specific to the medical device, hospital, and healthcare industry, including HL7 and bedside protocol. These are protocols that are only used in hospitals and healthcare organizations. But we have seen that there is an opportunity to achieve tremendous efficiencies using other protocols that are being employed in other contexts, such as wireless, radio, RFID, and Bluetooth technologies. Thus, we're starting to see many medical technologies--such as implantable devices, monitors, and other devices--implement these other protocols.

Improving wireless data security will benefit a range of medical devices, including Insulin pumps.

Understanding why medical device manufacturers want to have these capabilities is pretty straightforward. Shifting to the use of new protocols can improve their products. From a convenience and administrative standpoint, as well as from the standpoint of managing medical devices, these protocols offer many features. At the same time, when medical device manufacturers implement protocols that have been used in other sectors, they encounter the same problems that others have faced when they have implemented them. Such problems include wireless, radio, WiFi, and Bluetooth attacks. Such attacks are not new. When you stack these new communications protocols onto a medical device, users will encounter these problems, and they are going to have to address them.

The one difference between using these technologies in nonmedical settings and in implantable medical device applications is that updating an implantable device is much more difficult than updating the Widows XP operating system or software that has been downloaded from the Internet. Implantable devices represent a very, very big challenge. What this means is that if a medical device manufacturer wants to have an implantable device be remotely accessible via wireless, radio, or Bluetooth, they have to get it right the first time because if they don't, updating the device, improving the design, or improving the security of a particular feature is very expensive. In fact, much of the time it's so expensive that it's not feasible. Thus, the device users are stuck with what they've got.

MPMN: So, you've got to get it right the first time. With that in mind, what do developers of wireless medical devices need to know--from the design and technology standpoint--to achieve data security and protect patient safety?

Rios: We've come a long way from the first WiFi access points and encryption and security protocols. We should understand that. However, I've seen medical devices that simply cannot support new WiFi encryption protocols. They can only support such technologies as wired equivalent privacy (WEP), which was broken many years ago. Regardless of how you try to secure this protocol with a long pass phrase or wireless key, it just cannot be done in a secure way. But there are medical devices that only support this protocol.

It's difficult to say whether or not a specific protocol will be broken, but what's important is to understand protocols and have the agility to move to a different one when necessary. Thus, putting all your wireless medical device eggs in one basket is never a good strategy from a security perspective. Medical device manufacturers should know that there is eventually going to be a problem in their wireless stack someplace, and they must therefore have a good strategy in place for updating it, testing it for vulnerabilities, and getting updates out to the users of their medical devices in a meaningful way.

MPMN: How is that challenge being met at present?

Rios: Right now, I think it's being met very poorly. When we look at how the medical device world polices itself in terms of patching and security, we still see a great deal of obscurity. What I mean by obscurity is that we don't use real security mechanisms to protect these devices. While it remains difficult to acquire medical devices and related software, this barrier is falling quickly. Simple things such as auction sites and resellers are making it much easier for researchers or those with malicious intent to get ahold of devices. In addition, things such as misconfigured file transfer sites or Web sites make it easier to obtain medical device software. However, once someone has obtained a device or its software, much of the security that has been built into questionable. Devices often look as though they are protected by security measures, but they really don't have robust security features or mechanisms. This is definitely a problem in need of improvement.

When we look at the renewed interest from FDA and the Department of Homeland Security in getting cyber security guidance and passing regulations, that's a good step, but we still have a long way to go.

MPMN: This leads to understanding the regulatory landscape. What is going on in this area? What is FDA doing to accommodate the proliferation of wireless medical devices and improve data security?

Rios: It's a double-edged sword. We've done a lot of research in the industrial control systems world, in which there is no centralized regulatory body such as FDA. In that field, everyone is on his own. It really depends on the specific industry. Whether you're talking about the oil and gas, water, or electricity industry, you fall under different guidance authorities. The medical device world is interesting in that it has a centralized authority: FDA. That can be a good thing, but it can also be a bad thing. As long as FDA understands the landscape, as long as it has a good understanding of cyber technologies and how to secure them, such centralized authority can be good. And I think FDA does have a good understanding of what's going on.

While there is renewed interest in FDA, I don't think I've seen any regulations coming from it just yet. But it has passed guidance. More importantly, it has set up a data security laboratory and will be subjecting medical devices to very objective security measurements. In addition, through the use of specialized tools, it will objectively see first hand where the industry is and ascertain the state of security for medical devices. I think that FDA will not be satisfied with the present situation. Once the lab is fully up and running, once the objective security measures and tooling are in place that are in development right now, once FDA gets a couple of devices put through the paces, it will realize that we have a long way to go. Once they have figured that out, I'm not sure what approach it will take. I don't know whether it means more regulation, more guidance, or working with specific vendors. But I do know that we are going to see a lot of traction in this area in the next couple of years. Whether the result is a wireless or IP protocol or whether it's just a medical device's security design, we are going to see a lot of movement in the next year or two.

MPMN: Could you speak more concretely about what technologies exist at this time to achieve general data security or protect wireless medical devices against hackers? And going from where things are today, what do you think the medical device industry will need to do to adapt to future data security issues?

Rios: I'm often asked how I speak to chief scientific officers of healthcare organizations about medical device security, and I think the question of wireless protocols used for such applications is very relevant. What I tell them is, "You're on your own. You're going to be expected to take a vulnerable medical device that's using a protocol that everyone knows is busted, understanding that the wireless security protocol you're exploiting is readily and freely available to anyone that wants to use. But you're still going to be expected to secure the medical device. At the present time, it's going to be your organization's responsibility to find the security toolsets, the policies, and the architectures to ensure that your medical devices are secure and that the data being transferred back and forth are secure as well."

I don't agree with this state of affairs. There are other players in this world that have a responsibility to help medical device manufacturers implement wireless technologies securely--especially when they are going to be held responsible for some of the data that could be leaked or lost because of the insecure designs and protocols currently employed in medical device applications. Ultimately, only the device vendor can upgrade the wireless protocols that are supported by the device. End users cannot do this. They can architect their networks to mitigate some of the exposures, but they cannot eliminate them from the software stack. Only the medical device manufacturer can do that.

Thus, we definitely have a long way to go, and right now, much responsibility has been placed on the shoulders of the end user organizations to secure their wireless communications, and that's hard. To do so, the end users usually must bring in high-priced consultants that are experts in specific areas such as wireless encryption and wireless data perfection to help architect and implement solutions to mitigate the vulnerabilities that are part of the medical device itself. And it's only going to get harder as such devices transmit bits of data and bits of command and control information back to centralized monitoring stations--a trend that will only increase with the development of new feature sets and medical device technologies. Thus, we're going to have to protect those data appropriately. Hopefully, medical device manufacturers can do their part to ensure that the devices themselves are robust and that they can support secure communications protocols. Hopefully, they can become agile enough so that when we find out that a certain protocol is weak, they can transition to a more secure protocol in a way that makes sense to the end user.

Bob Michaels is managing editor of Medical Product Manufacturing News.

Sign up for the QMED & MD+DI Daily newsletter.

You May Also Like