The Expanding Threat Landscape of Connected Medical Devices
The medical device industry is in the earliest stages of addressing medical device security today, but developers should expect to see many changes over the next several years.
Today’s health care environments contain an extraordinary amount of networked technology, from traditional hard-wired equipment such as monitoring devices and diagnostic equipment (CAT scanners) to wireless connectivity within implanted devices such as pacemakers. The explosion of connected medical devices (MDs) to open networks has created new vulnerabilities for patients and a series of unique security challenges to device manufacturers and medical facilities.
A team of academic researchers in 2008 shook up the connected medical device community by presenting a paper at an IEEE Symposium, which outlined a potential attack on implanted cardiac devices through the wireless interface. While this initially raised some concern, it was not until Jay Radcliffe demonstrated a potential attack through the wireless interface of a patient-worn insulin pump that awareness of medical device security issues “exploded,” prompting a U.S. Government Accountability Office (U.S. GAO) inquiry into medical device security issues, and a media blitz which continues to this day.
Here are a few examples of device types that are subject to security risks:
The Good and the Bad of Connected Medical Devices
Communication technology advances have allowed medical device manufacturers to implement features that radically improve the patient experience. To cite an example, implanted cardiac management devices (e.g., pacemakers) often require adjustments in the therapies they deliver. Early devices required somewhat invasive procedures to make such adjustments, often resulting in increased patient discomfort, or worse, the introduction of infection.
Advances in wireless technologies eventually led to implanted devices that could be monitored and adjusted through radio frequency (RF) communications, increasing patient comfort and reducing the risks surrounding invasive procedures.
Connected devices provide health care professionals with the ability to share this data with other members of health care staff, often in real time, both inside and outside the confines of the medical establishment. There is little doubt that connectivity has tremendously enhanced the health care experience, both from a provider and patient perspective.
The rapid adoption of electronic health records (EHR) while an enabler of better provider/patient interactions through streamlined workflows, has unfortunately opened up new avenues for misuse of medical information. The HIPAA Act was created in the U.S. to force health care organizations and their business partners to protect patient data under penalty of law, and organizations that do not comply with the requirements are subject to stiff fines.
Despite the benefits of these technological advancements, we are now witnessing a gradual emergence of cyber security-related risks to patient safety and privacy. These risks have consequently caused health care providers, from device manufacturers to hospitals, to dedicate substantial resources for the purpose of discovering and mitigating cyber security risks.
Awareness of the rising problems associated with this technology prompted a recent bulletin released by the National Cybersecurity and Communications Integration Center (NCCIC), a division of the Department of Homeland Security. The bulletin discusses how the exploitation of potential vulnerabilities of MDs, attached to medical IT networks, may result in possible risks to patient safety.
No More Protection Through Obscurity
For years, medical device manufacturers have relied on obscurity as a means of protection. This was only adequate until the research and hacking community decided to investigate these devices, wherein they discovered that, in some cases, it was relatively easy to intercept communications and, furthermore, take control of such devices.
RF/wireless-capable medical devices frequently communicate over proprietary frequencies and through unauthenticated (or weakly authenticated) communication links. Additional research has also uncovered firmware updates to medical devices were being distributed over the Internet via malware-infected websites.
Unique Solutions to Unique Challenges
Legacy medical devices create interesting challenges, since many of these devices cannot be patched or updated to offer better security. Many legacy devices are in service today because they perform their functional requirement of delivering patient therapy. In some cases devices can be cycled out and replaced with updated devices with better security.
One of the more serious considerations with implanted devices is the extremely limited power supply often available to such devices. These devices operate on batteries that have a long life expectancy and implementing security on such devices can potentially diminish battery life, posing a serious risk to the patient when the therapy is no longer available.
Medical devices must be available to deliver required treatments and perform monitoring functions with urgency. It is important to understand that any security measures implemented must not interfere with availability, as the consequences of limited availability can have far greater impact than the security threats pose. External devices also share the need for availability above all else.
New technologies allow medical device manufacturers to perform thorough vulnerability tests on their systems and devices during the development stage. The best starting point is approaching security in a similar manner used to address industrial control system (ICS) security. These systems control functions such as chemical manufacturing processes, energy management, nuclear power plants and many other mission-critical infrastructures. Failures in such systems can lead to devastating results, and availability of these systems is absolutely paramount.
Securing ICS has been a global effort for nearly a decade, and many of the same principals can be applied to medical device space, since, after all, medical devices are indeed used to control critical functions.
Most importantly, it is critical for medical device manufacturers to perform thorough assessments on their systems and devices to determine what vulnerabilities exist and if there is a risk to the patient. While device manufacturers are well-equipped to perform tests that can determine failure modes against functional requirements, commonly accomplished through failure mode effects analysis (FMEA), most cyber security-related failures are non-functional in nature and can be nearly infinite.
Engineering teams in medical device manufacturing organizations have traditionally focused on addressing functional requirements and have not dedicated resources for the purpose of addressing malicious misuse of devices. Even when engineering does take steps to determine malicious misuse cases, it can be quite challenging to prioritize what threats need to be addressed.
A New Generation
Some health care organizations/vendors have stepped up their security initiatives dramatically. Others are reacting to the emerging threats with less urgency, focusing chiefly on security as it pertains to HIPAA regulations. Regulatory bodies have stepped up their efforts to address medical device security issues, yet they are currently approaching regulation with caution, because of the unique considerations in approaching security for medical devices.
The industry is in the earliest stages of addressing medical device security today, and we are certainly going to see many changes over the next several years. Organizations have recently been created to specifically address medical device security. Most notably the Medical Device Safety and Security Consortium (MDISS) has garnered the support of several large health care provider organizations and device manufacturers and the US Department of Homeland Security Industrial Control Systems Joint Working Group (ICSJWG) has taken an interest in medical device security.
Nate Kube founded Wurldtech Security Technologies in 2006 and as the company’s chief technical officer is responsible for strategic alliances, technology and thought leadership. Nate is an internationally recognized subject matter expert in embedded device protection for high-availability process automation, medical and health care industries. Nate has created an extensive intellectual property portfolio including numerous patents in formal test methods and critical systems protection.