Hacking medical devices: Five ways to inoculate yourself from attacks

It’s vital that healthcare companies follow medical device security best practices to defend against attacks on devices and the networks and systems they connect to—especially during a pandemic.

The COVID-19 pandemic has increased the number of medical devices used at home, so ensuring the security of those devices is essential. In addition, all baby boomers will reach retirement age by 2030. This rapid growth of an aging population underscores the importance of secure and reliable healthcare products and services, including medical devices. To meet this need, many medical devices connect to server-side systems, which has created a surge in demand for expertise in both medical device security and system security.

Security weaknesses, vulnerabilities, and data breaches can put patient safety at risk and expose healthcare companies to data disclosure and HIPAA regulatory risks. How can vital medical devices be kept safe, especially during a pandemic when professional healthcare staff cannot monitor them in person? What measures should medical device companies take to ensure patient safety? Here are five steps that healthcare companies should take to secure their medical devices.

Five best practices for medical device security

1.     Establish a secure software development life cycle

Security works best when it’s treated as an intrinsic property of a software system rather than bolting it on at the end. Medical device manufacturers and system developers should establish a well-defined secure software development life cycle (SSDLC) that includes proactive processes to identify security requirements, design defects, and code-level bugs. a key activity in the SSDLC, identifies system assets and methods (called threat vectors or attack vectors) that attackers could compromise. It also helps an organization understand an application’s threat landscape, identify security requirements and design defects, and get actionable guidance for security testing. In most cases, companies with a successful SSDLC also measure and continually improve maturity of such programs.

2.     Understand cloud security

Many organizations—including medical device companies—are moving their IT infrastructures to the cloud. Companies like McKesson are creating cloud and infrastructure services that are changing the way medical systems are deployed. Therefore, it’s critical to understand the security ramifications of cloud services, such as:

• What’s my security responsibility versus that of the cloud provider?
• How is my data protected in the cloud?
• What are the implications of HIPAA compliance standards with a move to the cloud?
• Can we trust the cloud provider with the keys to our encrypted data?

Although some evidence suggests that cloud providers do a better job of protecting against data breaches and loss, healthcare companies must understand that infrastructure can be transferred to the cloud more easily than the risk itself. In the case of a data breach, it’s usually the healthcare companies that are liable—not the cloud providers.

3.     Create logging and monitoring controls

No amount of security investment can guarantee that medical systems will never be breached. Proper logging and monitoring controls can help detect any malicious attacks and their impact on the system as soon as they occur.

4.     Use a secure operating system to build medical devices

The life cycle of medical devices is often much longer than that of handheld devices like smart phones—some can be used for many years if not decades. In addition, some devices operate in an environment where patching for security bugs is cost-prohibitive or simply not possible. Using a secure platform to build medical devices is critical. The National Vulnerability Database shows many more security vulnerabilities in an operating system such as Windows 10 than in a secure operating systems such as the QNX. Using a secure operating system reduces the need for security-related patching.

5.     Remember that deployment security is equally important

Although establishing a SSDLC is necessary, it’s not enough. Maintaining security is a shared responsibility between patients, providers, and medical device/system manufacturers. Medical device and system creators must understand how their systems are deployed and used. They must also provide necessary security guidance to their customers.