Recently the WannaCry ransomware crippled the U.K. National Health System (NHS) denying millions of patients’ access to their personal and privileged medical information. The proliferation of medical devices, networked and stand-alone, wired and wireless, represents the emergence of an attack surface ripe for exploitation by nefarious characters.
In a large-scale deployment, these devices can be considered IoT (Internet of Things) entities, subject to the same promises and pitfalls—with deadly consequences. Not only do medical device security vulnerabilities expose patients to harm due to a loss of availability or equipment shutdown, but they can also create potential liability risks for device manufacturers. While HIPAA regulation primarily focuses on the protection of Personally Identifiable Information (PII), it does not mandate the formation of a secure and viable mechanism to safeguard against intentional data breaches.
The Feds Have Been Busy
FDA has taken steps to educate and provide guidance to the industry. In October 2016, the FDA entered the Memorandum of Understanding (MOU) with the National Health Information Sharing and Analysis Center (NH-ISAC) and the Medical Device Innovation, Safety, and Security Consortium (MDISS). The MOU will enable an operational framework for medical device vulnerability information-sharing. However, its aim is the establishment of a shared risk assessment framework—rather than addressing the underlying reasons for the existence of vulnerabilities.
A Viable Security Model
If we set aside hardware issues, to create a reasonably secure medical device, one must address both the design flaws and known vulnerabilities causing inherent risks as well as identify the unknown vulnerabilities to reach the controlled mitigation stage and manage residual risks. To achieve sustainable results, medical device vendors must integrate cybersecurity into the Product Development Lifecycle (PDLC). Security concerns after the product has entered the market or even during the manufacturing and designing phase can be recipe for potential disaster.
How to Assess Security in Medical Devices
Identify and record all control elements for the use case of the medical device to make sure it is within the scope—all other cases must be black-listed. Perform static code analysis (whitebox testing) to catch all coding infractions and address them through standard engineering practices. Conduct fuzzing (blackbox testing) by creating malformed packets for input to the application or device and measure the responses. Test the application software for security vulnerabilities and certify that the golden image of commercialized software is free of known cybersecurity risks by deploying vulnerability assessment and patch management tools. White-list the application and black-list unauthorized others. Lastly, develop the product risk assessment plan, and define and identify inherent risks and mitigation controls.
Like other computing devices, there is no such thing as absolute security. Medical devices cannot be 100% fail safe but manufacturers and health organizations can manage the risk exposure by following best security practices in a collaborative setting.