How Linux Can Help Make Medical Devices More Secure

The open source operating system can help medical device companies improve product security.

Brian Buntz

Medical device cybersecurity is a "growing concern," FDA declared while announcing its latest guidance documents related to the subject. The topic has also been getting a considerable amount of attention in the past five years since security researcher Jay Radcliffe hacked his insulin pump on stage at a Black Hat conference in 2011. 

More recently, infusion pumps have emerged as having considerable security problems. In April of last year, a security researcher on Hextechsecurity.com called the Hospira LifeCare PCA3 device "the least secure IP-enabled device I've ever touched in my life." In May 2015, FDA released a warning related to the PCA3 and the similar PCA5 infusion pump.

In general, medical device companies should think about security as early as possible in the product development cycle, and medtech professionals should carefully think about the choice of an OS. "Security really needs to [be taken] into account, or else medical devices may become the weakest chain link in an ecosystem," says Brian Gartner, senior technology strategist at Linux distributor SUSE (Cambridge, MA). (Check out SUSE at Booth #661 at MD&M West, February 9-11, 2016 at the Anaheim Convention Center in Anaheim, CA.)

Open source software like Linux can help the medical device industry improve the cybersecurity of connected devices, Gartner says. Oftentimes, security vulnerabilities in the Linux OS are discovered by security researchers, who then notify the development community, which can often address the problem before it is even reported outside of the community.

By contrast, the approach of major manufacturers of operating systems is generally less regimented. "With a proprietary OS, developers can choose to deal with it however they might. They can bury it, fix it in six months, or do the right thing and fix it right away," Gartner says. "But with Linux, there is a peer pressure to get things patched very rapidly. The responsiveness is generally much better, and Linux developers are some of the fastest at patching bugs."

From a security standpoint, companies that provide enterprise Linux software like SUSE provide regular security updates to medical device manufacturers based on breaches recently detected by security researchers. "We notify our customers when a security update is available, and we provide documentation for it," Gartner says.

While there is generally a balancing act between usability versus security, medical devices are generally fairly easy to bring under a secure architecture because they typically have much more limited inputs than other types of computing platforms.

Medical device companies should consider providing different levels of data access to different types of users to further reduce risk. For instance, a person sitting at the front desk might have a different set of permissions than a nurse, who in turn would have a different set of rights than a doctor.

"If you look at federal government, they have had that mindset: when a person logs in to a software system, they see only what they are cleared to see," says Dennis Vetrano, sales and business development manager at SUSE.

(Check out SUSE at Booth #661 at MD&M West, February 9-11, 2016 at the Anaheim Convention Center in Anaheim, CA.)

Brian Buntz is the editor-in-chief of MPMN and Qmed. Follow him on Twitter at @brian_buntz. 

Like what you're reading? Subscribe to our daily e-newsletter.