Download this article in .PDF format
This file type includes high resolution graphics and schematics when applicable.

Recently there have been a number of well-documented security vulnerabilities involving medical devices, including a report of over 300 medical devices with hard-coded passwords. 

Some medical devices include password-protected logins and encrypted protocols, but this is not sufficient.

Use of multiple layers of protection, including firewalls, authentication, security protocols, and intrusion detection/intrusion prevention is a long-established driving principle for enterprise security. In contrast, most medical devices lack a firewall or security protocols, and often rely on little more than one simple password authentication. The old assumption has been that these devices are not attractive targets to hackers, or are not vulnerable to attacks, but that is no longer valid. Attacks against all types of embedded devices, including medical products, are on the rise and greater security measures are now needed.

Cyber security has been a critical focus for large enterprises for 25-plus years, and medical device design engineers can take a page from the enterprise security playbook.

Embedded Security Challenges

Medical devices are very different from standard PCs.  They are fixed-function devices designed to perform a specialized task. Installing new software on the system in the field often requires a specialized upgrade process or is simply not supported.  These devices are optimized to minimize processing cycles and memory usage and do not have a lot of extra processing resources available.  PC security solutions won’t solve the security challenges of these devices.

Challenges for medical device security include:

Critical functionality: Medical devices control life-enabling systems and manage sensitive data.  

Replication: Once designed and built, medical devices are mass-produced, resulting in thousands to millions of identical devices. Once discovered, a successful attack against one of these devices can be replicated across all devices.

Security assumptions: Many medical device engineers have long assumed that their products are not targets for hackers and have not considered security a critical priority.

Not easily patched: Most medical devices are not easily upgraded. Once they are deployed, they will run the software that was installed at the factory.

Long life cycle: The life cycle for medical devices may be as long as 10, 15, or even 20 years. Building a device that will stand up to the security requirements of the next two decades is a tremendous challenge.

Deployed outside of the enterprise security perimeter: Medical devices may be mobile or may be deployed in the home, environments lacking the protections found in a corporate environment. 

Cyber-attacks and the motivated hacker

The level of security required for a medical device varies depending upon the function of the device. Rather than asking if the device is secure, the OEMs should be asking if the device is secure enough. A robotic surgery system clearly needs a very different level of security than sensors equipped with communication capability for remote monitoring of patients.

Hacking is not just the domain of bored teenagers, hacking drones, or even the small groups of motivated hackers. When the stakes are high enough, cyber-attacks are multi-phased, multiyear efforts carried out by large, well-funded teams of hackers.

We are no longer talking about protecting a device from just malformed IP packets or DoS packet floods. Hackers often have detailed information on the device they are targeting and have sophisticated toolkits and skills that can be used to develop attacks. Have you considered how to protect the device from attack from a group with detailed knowledge of the inner workings of your product?

Security requirements for medical devices

A security solution for medical devices must protect firmware from tampering, secure the data stored by the device, secure communication, and protect the device from cyber-attacks. This can only be achieved by building in security from the early stages of design.

There is no one-size-fits-all security solution for medical devices. Engineers must take into consideration the cost of a security failure (economic, environmental, social, etc.), the risk of attack, available attack vectors, and the cost of implementing a security solution. Features that need to be considered are:

Secure boot: Achieved using cryptographically signed code from the manufacturer along with hardware support to verify code is authenticated. This ensures that the firmware has not been tampered with.

Secure code updates: Ensure that the code on the devoice can be updated for bug fixes, security patches, etc. Use of signed code (secure boot) ensures that malicious code cannot be introduced.

Data security: Prevent unauthorized access to the device and its data by using encrypted data storage and/or encrypted communication.

Authentication: Communication should be authenticated using strong passwords (at a minimum) or an authentication protocol such as Kerberos.

Secure communication: Communication to/from the device needs to be secured using encryption (SSH, SSL, etc.).

Protection against attacks: Embedded firewalls provide a critical layer of protection against cyber hackers and common cyber-attacks.

Intrusion detection & security monitoring: Many existing medical devices can be attacked repeatedly without detection. A hacker could execute millions of invalid login attempts without the attack being reported.

Embedded security management: Integration with a security management system allows security policies to be updated to mitigate against known threats.

Device tampering capabilities: Some new processor/board designs include device tamper-detection capabilities, enabling detection when the seal on the  device enclosure is broken, indicating that someone is attempting to tamper with the device.

Integrating security into the device

Building protection into the device itself provides a critical security layer that ensures devices are no longer depending on the corporate firewall as their sole layer of security, and allows security to be customized to the needs of the device.

Security needs to be considered early in the design of a new device. Support for secure boot or device tamper detection requires specific hardware capabilities. Since hardware is typically selected early in the design phase, this capability must be considered very early in the process. 

Today’s modern medical devices are complex, connected computers that perform critical functions.  Including security in these devices is a critical design task. Security features must be considered early in the design process to ensure the device is protected from the advanced cyber threats they will be facing. 

 

Alan Grau is the president and cofounder of Icon Labs, West Des Moines, Iowa, a leading provider of security solutions for embedded devices. He can be contacted at (515) 226-3443 or alan.grau@iconlabs.com.

 

Download this article in .PDF format
This file type includes high resolution graphics and schematics when applicable.