Posted by Jim Ivers on May 30, 2017
Originally posted on SecurityWeek.
The device that dominated my attention was the infusion pump attached to my IV line. First, it became my constant companion if I left my bed, so we quickly became quite close. Second, it reminded me of specific hacks demonstrated by security researcher Billy Rios. Specifically, the hack where he shows how such a device could be used to endanger the life of the patient. For those of you who have never had the pleasure of being connected to an infusion pump, it is a device that continuously meters and dispenses medicine intravenously into the patient. These pumps are widely deployed and used for a wide range of treatments and medical conditions. They are not terribly complex or exotic, so they represent a fair example of a connected medical device. They also stretch the term “connected” as they are connected to the network and connected to the patient.
A few weeks ago, I had the pleasure of seeing Billy deliver his presentation on medical device security in person, and my experience with the infusion pump came flooding back to me. Hearing him speak again inspired me to explore the subject and use medical device security to build on the points I made in my last column comparing security and quality in the context of software; specifically, their relationship to developing and deploying software.
Now, as I consider medical device security, I want to add safety and privacy into the conversation. I believe these two elements exist side-by-side with quality and security as characteristics of good software.
Let’s start with privacy, which I’ll define as the protection of personally identifiable data (my personal data). Connected medical devices collect and store patient information as part of their normal operation. With the advent of connected devices, privacy and security have become tightly linked because theft of private data is often the goal of malicious attacks.
However, it is entirely possible for software to expose private data without the involvement of a malicious outside agent. The mishandling of a device can create the same amount of exposure as an attack. For example, what happens when an infusion pump is sent away for repair? Does the hospital clear the memory of the device before releasing it to the shop? It stands to reason that someone qualified to repair such a device would have the knowledge and privilege to access data on the device.
Safety is also a critical element because the same medicine that provides help and relief to a patient may cause serious problems or even prove fatal if improperly administered. For example, if the device dispensed the medicine too quickly, the safety of the patient would be compromised. The cause could be traced to mechanical problems, software quality issues, or an outside agent compromising the software.
Quality assures that the infusion pump performs the way it’s intended to. In this case, the pump should dispense the proper volume of medicine at the proper flow rate. The software in the device is crucial to controlling the device based on the settings entered for each medicine. Defects in the code could cause the pump to malfunction, resulting in real harm to the patient.
Software for medical devices existed well before they became connected. However, manufacturers now leverage the connected nature of devices to update the software on a regular basis to enhance their capabilities and extend their useful life. This opens the door for more exposure to quality issues beyond the initial software in the manufacturing process.
Security is pervasive in our scenario—both physical security and protection from external attack as a connected device. The software must authenticate the operator of the device to ensure that it cannot be improperly used by an unauthorized person. Since the device is protected, the software must also be protected against attacks that allow for remote operation of the device or exfiltration of patient data.
This is not just my imagination, as Billy Rios has ably demonstrated in a sobering way. Billy documented an attack on an infusion pump where he infiltrated the device, remotely put the device into a test mode, and initiated a volume test that quickly emptied the medicine in the pump. If the pump was attached to a patient and the medicine in the pump was harmful or fatal at high doses, the safety of the patient would be at obvious risk.