Software Integrity


Hacking medical devices: 5 ways to inoculate yourself from attacks

A terrorist hacks into the US Vice President’s pacemaker to murder him. It happened on the Showtime series Homeland, but could it happen in real life? Most security experts agree that such a scenario is highly unlikely or even downright impossible. However, that doesn’t mean you should ignore the real security risks that medical devices and systems introduce. They may not be as extreme as Hollywood portrayals, but security vulnerabilities and data breaches in medical devices and systems can put patient safety at risk and expose healthcare companies to data-disclosure and HIPAA regulatory risks.

It’s been estimated that three million baby boomers will reach retirement age every year for the next 20 years. This rapid growth of an aging population means there will also be a rapidly growing need for healthcare products and services. With an increasing number of medical devices being developed, many of them are enhanced with connectivity to server-side systems. The result is a surge in the need for medical devices in addition to system security expertise.

Healthcare companies must respond to these challenges by following security best practices. Here are the top five activities that healthcare companies need to consider to secure their medical devices:

1. Establish a secure software development life cycle (SSDLC).

Security works best when we treat it as an emergent property of a software system rather than bolting it on at the end. Medical device manufacturers and system developers are moving to establish well-defined SSDLCs. A well-defined SSDLC uses proactive processes to identify security requirements, design defects, and code-level bugs. The key activity in the SSDLC is threat modeling. Threat modeling identifies system assets and methods (called threat vectors or attack vectors) in which attackers can potentially compromise. It also enables an organization to understand an application’s threat landscape, to identify security requirements and design defects, and to provide actionable guidance for security testing of the application. In most cases, companies that have established successful SSDLCs also measure and continually improve maturity of such programs.

2. Understand cloud security.

The IT infrastructure is moving to the cloud at a rapid pace. Medical devices will follow suit. Companies like McKesson are creating cloud and infrastructure services that are changing the way medical systems are deployed. Therefore, it is critical to understand the security challenges associated with cloud services. To get an idea of these challenges, try answering the following questions:

  • What is my security responsibility versus that of the cloud provider?
  • How is my data protected in the cloud?
  • What are the implications of HIPAA compliance standards with a move to the cloud?
  • If we store data encrypted in the cloud, should we trust the cloud-provider with the keys?

Although there is some evidence to suggest that cloud providers do a better job of protecting against data breaches and loss, healthcare companies need to understand that infrastructure can be transferred to cloud more easily than the risk itself. In case of a data breach, it is in most cases the healthcare companies that are liable and not the cloud providers.

3. Create logging and monitoring controls.

No amount of security investment can guarantee that the medical system will avoid a breach. It is important to create proper logging and monitoring controls to detect any malicious attacks and their impact on the system as soon as they occur. Organizations are becoming sensitive to effective logging and monitoring controls.

4. Use a secure operating system to build medical devices.

The life cycle of medical devices tends to be a lot longer than those of handheld devices or smart phones. Some of the devices are deployed for many years if not many decades. In addition, these devices could be operating in an environment where patching devices for security bugs could be cost prohibitive or simply not possible. For these reasons, it is important to use a secure platform for building medical devices. As an example, a quick scan of the NVD shows that there are a lot more security vulnerabilities in an operating system such as Windows XP than in a secure operating systems such as the QNX. Using a secure operating system reduces the need for security-related patching.

5. Remember that deployment security is equally important.

Although it is necessary to establish a secure SDLC, it is not enough from a security perspective. Maintaining security is a shared responsibility between patients, providers, and the device/system manufacturers. Medical device or system creators need to understand how their systems will be deployed and used. They must then provide necessary security guidance to their customers.

Summing it up.

While popular TV shows depict attention-grabbing attacks on medical devices themselves, today’s medical device security stance needs to be examined in a larger context. This includes the level of connectivity to larger server-based systems and databases that are likely to be deployed in a cloud environment.

How prepared is your healthcare organization to withstand a security breach?