Tips to Keep Your Medical Device from Getting HackedTips to Keep Your Medical Device from Getting Hacked
June 20, 2013
The threat of hacking medical devices is very real in the eyes of FDA, which recently published draft guidance requiring device makers to beef up security of devices. A recent article in The Economist points out the scope of the problem: More than half of medical devices marketed in the United States employ software. Often, that software is extremely complex. The software used in an MRI machine may exceed 7 million lines of code. Complicating matters is the growing trend of connecting medical devices to networks and the Internet. While connectivity certainly has obvious benefits, it also opens up security threats.
Another factor is that the developers of medical devices has historically assumed that their products are safe from a security standpoint. "Initially, most connected medical devices were either in closed networks or they were fairly special-purpose devices so engineers didn't worry about people attacking them," says Alan Grau, CEO of Icon Labs. "They figured they were obscure enough that it wasn't a big security threat." Now, however, there are numerous legacy devices that were built without much security that are connected to the Internet--some of which are wide open, he adds. "Even now, people building newer medical devices frequently are not doing it at a level of security they need."
So what is the best strategy for device makers to prevent hacking? Grau provides four strategies:
Strategy 1: Design devices that require users to take basic security precautions. "You want to make sure you have some built-in capability to ensure the device is properly configured," he says. "Sometimes a device will be employed and nobody will reset the default password." Warnings and notifications can be used to make sure the end user enables security features and take basic precautions such as using secure passwords that are routinely updated. "Are the users employing uppercase and lowercase letters in passwords along with numbers, special characters and a minimum length? Fairly simple precautions like these are the first step to improving medical device security."
Strategy 2: Take a systematic look at the security the device provides--and don't underestimate the power of the firewall. The firewall is the cornerstone of security in enterprise networks and the desktop world. In the embedded space, for a variety of reasons, the firewall is often ignored. "Those devices might have some good security protocols but many of them don't provide a firewall. Adding a firewall to a device is really important--it provides the ability to control who you talk to and what protocol and communications are allowed." If you are attacked, it provides a level of defense while avoiding some attacks entirely. "Most attacks will never reach past the firewall level in the device."
Strategy 3: Use a layered approach. "I do think a layered defense is important. I would not just say put a firewall on and that is the solution. Don't just stop at that. You also need to look at authentication and encryption protocols."
Strategy 4: Consider the human element. "Thoroughly consider questions such as 'How are these devices being used? Who has access to them?' Oftentimes, some of the biggest security breaches are essentially insider attacks--whether it is a disgruntled employee or former employee that has access to information that they used to hack devices or people who are unintentionally causing problems." he says. "You don't know what kind of attacks you might face but you want to make sure you protect against them." Anything engineers can do to encourage end users to run security tests is advisable.
Brian Buntz is the editor-in-chief of MPMN and Qmed. Follow him on Twitter at @brian_buntz.
About the Author
You May Also Like