Posted by Chandu Ketkar on June 1, 2015
From a security viewpoint, medical devices differ from conventional web applications, mobile applications, and other types of embedded applications which security researchers commonly encounter.
First, medical devices come in many forms: devices that are embedded in the human body, used in hospitals, and used by patients at home. Security professionals need to recognize the context of how and where medical devices are used in order to address their unique security challenges.
For example, think about a medical device in an operating room where user authentication is not practical. (What if the doctor forgets the password before starting the medical procedure?!) This situation creates a unique concern for a security professional. We need to protect the device from a malicious user, but user authentication is not a control that will work. How do we address this?
Second, medical devices have a long life cycle—some of them have been in use for years if not decades. That makes the security of such devices more challenging. Imagine a device made in the early 1990s that is still being used today. This device was created when security was not even an afterthought and the device hardware is likely to have severe restrictions in terms of computing power to implement some of the common application security solutions we have today.
In previous blogs, we’ve covered the need for secure architecture for medical devices and prescriptive guidance for building code for medical devices. We continue to research and develop new strategies for medical device security in our work with customers and other industry leaders.
Synopsys has just returned from one of the top conferences covering medical device security, Archimedes, an event we have participated in actively since 2013. We brought back the latest trends and information from the industry.
The Archimedes Medical Device Security Conference is unique because:
When bringing stakeholders from all parts of the medical device ecosystem together, you have the benefits of an exchange of ideas within a broader context. Plus, this sharing of ideas occurs in a “side-effect free” environment. Participants in the Archimedes Conference take the “Las Vegas rule” seriously, allowing for a free flow of ideas, realities, and possible solutions to tackle some of the unpleasant realities in medical device security.
At this year’s conference, Synopsys Security Consultant, Dan Lyon, gave a presentation about how to achieve the optimum spending on security features.
Because of the “Las Vegas rule,” we can’t share the full presentation, but we can provide the abstract of his talk.
Creating secure medical systems can be a challenge because of the tradeoffs that have to be made. If security features are funded, that means funding to deliver more patient benefit is reduced. Like Goldilocks and the Three Bears, the optimum security solution requires not too much nor too little funding. But how do you achieve that optimum? One way is through leveraging systems engineering techniques and processes to help manage complexity and drive tradeoff analysis. The presentation showed why and how to optimally fund systems engineering activities for building security in, as well as an example of how system engineering tools can be used for tradeoff analysis and incorporated to extend security into reliability domains.
The presentation is based on two publicly available Whitepapers:
If you have questions or thoughts on medical device security, please let us know. We are here to help you understand the unique challenges of medical devices and work with you to make them more secure.