A CIA-Inspired Approach to Medical Device Cybersecurity

Cybersecurity is emerging as a key consideration for medical device engineers. The growing number of medical devices with wireless functionality is contributing to the trend, leading to real risks to patients' well being safety and privacy, explained Mike Ahmadi, CISSP, global director, medical security at Codenomicon at BIOMEDevice San Jose.

Ahmadi illustrated those risks by using the CIA triad of confidentiality, integrity, and availability.

Confidentiality. In this security model, confidentiality can be roughly equated with privacy and protection of sensitive information. In the medical realm, the Health Insurance Portability and Accountability Act and Health Information Technology for Economic and Clinical Health Act (HIPAA-HITECH) were established to help foster the secure use of electronic health data. A problem related to confidentiality can lead to patient embarrassment or loss of confidence. The likelihood of physical injury is low.

Integrity. The integrity component of the CIA triad refers to limiting the access of sensitive data to authorized entities. "There's a high likelihood that failures in data integrity could hurt a patient," Ahmadi says, specifying that this could mean physical harm to the patient or loss of patient confidence. Such a problem would also constitute a breach of HIPAA-HITECH regulations.

Availability. The availability specified in the CIA triad refers to the dependability of the data, which can be temporarily hampered by power outages, upgrades, and hardware failures. Such problems in the medical device realm have a high likelihood of loss of patient confidence and can lead to patient harm.

Ahmadi pointed to the Philips Xper Buffer overflow vulnerability as an example of a medical device related cybersecurity vulnerability. Xper, a cardio physiomonitoring system, was found to be at risk of exploitation that enables hackers to execute arbitrary code with administrator-level privileges. Such an attack could make the personalized cardiovascular workflow platform susceptible to attacks related to all three levels of the CIA triad.

There are a number of cybersecurity failures that fall outside of the HIPAA-HITECH specifications. These relate to device breaches that involve data that is not considered protected health information. While these problems don't necessarily violate HIPAA HITECH, they can still cause patient harm.

Brian Buntz is the editor-in-chief of MPMN. Follow him on Twitter at @brian_buntz and Google+.