Most products in this market share a common feature: network connectivity. Figure 1 shows a typical example: even something as mundane as a pump bristles with features allowing it to communicate across the internet.
There are tremendous benefits from network-connected medical devices. These systems garner much of their power from:
- Wireless connectivity through the hospital, or across the world.
- Remote monitoring of patient status by physicians and machine-learning systems.
- Activation via near-field communications (NFC, the technology used in Apple Pay and public transport fare systems).
- Adjustment of implantable devices such as pacemakers without invasive procedures.
Figure 2 shows a network-connected device whose function is to coordinate measurements and parameter settings for implantable devices. It is intended to be accessed by the patient, their treating physicians and the manufacturer.
But the stakes are high for security breaches in devices which can have life-and-death effects on patients. The same interfaces that bring obvious clinical benefit create a large “attack surface” which adversaries relentlessly probe for weaknesses.
Recently there has been controversy and litigation  around the St. Jude Medical product pictured in figure 2. Hospira and Medtronic products are allegedly the targets of a Department of Homeland Security investigation.
Why the mess?
It is a truism that security in internet-of-things (IoT) products has taken a back seat. Ignoring security has been the IoT status quo while medical devices have taken on consumer-electronics attributes. Here are some characteristics of these market changes:
- Features and time-to-market determine the success of the product.
- Developers are averse to adding security code which consumes scarce resources within price-constrained systems.
- The fastest route to market introduction is usually to employ older, familiar code blocks designed in an era before the internet became a hostile environment.
- Older code (for example, an outdated operating system) often consumes fewer resources and runs on the cheapest hardware components.
- Most of the software in medical devices is proprietary. This is typically less resistant to attacks than the open-source code in many larger computer systems. Prominent open-source code is debugged and tested by many individuals in a process resembling academic peer review, whereas security audits of proprietary code are, by nature, unverifiable.
- Hospital networks often lack security beyond the gateway linking the local network to the internet. Devices installed inside a hospital network have great freedom to behave in untypical ways. The power and longevity of medical malware such as MedJack is a testament to this.
The sheer number of connected medical devices compounds the problem. While implanted and life-sustaining systems grab the security-breach headlines, the average hospital bed now sports 10-15 network-connected gizmos, all speaking the lingua franca of the internet. Even identifying the vulnerabilities existing in a 5000-bed hospital system then becomes daunting.
A recent view from information security professionals
Recently, the consultancy Deloitte polled information security professionals working for device manufacturers, healthcare software developers, healthcare providers and regulators. They reported that 36% of those surveyed said their organization’s products or services had a security breach during the past year. Perhaps more disturbing, 27% of this population did not know whether any breach had occurred.
The biggest medical device security issues were reported as:
- Problems securing legacy/fielded devices (30% of respondents)
- Needing to embed vulnerability management in the product (20%)
- Resources to monitor and respond to incidents (20%)
- Lack of collaboration on known threats (18%)
- Regulatory complexity (8%)
- The motivations of adversaries span financial rewards (ransomware), IP theft, and surreptitious access to critical clinical research.
- Hospitals are eager to pay ransoms to regain operational control of their facilities.
- Government-sponsored adversaries form the biggest threat to device manufacturers.
How can this situation be improved?
Medical devices can be hardened against these threats in these ways:
- Improved processes during device design.
- Implement documentation hierarchy to make all product decisions clear. Devotion of sufficient resources to the Quality Management System (QMS).
- Plan for vulnerabilities: assume the device will be compromised in its lifetime and devise defensive capabilities.
- Execute continuous, iterative security risk assessments. These should be at least annual, and also triggered by business changes such as alterations in the supply chain, acquisitions and divestitures.
- Field upgrades to the product need special attention. These are critical to improve the attack surface, but also a rich source of new security issues.
- Taking a forensic approach to issues raised by security breaches, regulators, litigants and whistleblowers.
- Creating an incident time-line.
- Searching for anomalous behavior.
- Finding what data and/or code was accessed and exploited.
- Fostering ways for the medical device industry to share sensitive information in a non-competitive setting.
- Improving the legislative and regulatory framework
- An example of a new legislative proposal is the Medical Device Cybersecurity Act of 2017 (S. 1656) which has been referred to a Senate committee.
- The FDA has issued several medical device security recommendations, and also begun to block marketing approval for medical devices if they fail to meet cybersecurity standards.
Medical devices are providing startling improvements in health care because of their new communication capabilities. Medical device security expert witnesses may become increasingly needed to deal with both intellectual property and tort lawsuits involving this technology.
St. Jude Medical, LLC v. Muddy Waters, LLC et al., 16-cv-03002, United States District Court for the District Of Minnesota.