Mitigating the Security Risks of Implantable Medical Devices
Implantable medical devices are becoming increasingly sophisticated, including infusion pumps that deliver medication, scanners that monitor biometric data, and devices that support or enhance organ functions. As with most modern technologies, many medical implants use Internet and network connectivity to exchange information with other systems and devices. Continuous connectivity facilitates health data analytics, immediately alert patients and doctors if warning thresholds are triggered, and enables device updates to patch security or functionality issues. Unfortunately, this connectivity makes medical devices vulnerable to the same threats faced by other medical devices, computer systems, and smartphones. What can manufacturers do to protect their implantable devices?
SecureState has first-hand experience testing Class 1 and 2 medical devices for vulnerabilities in wireless connectivity, physical security, and smartphone integration. Attackers can exploit these vulnerabilities to access personal health information, infiltrate medical institution systems, and even remotely change doses in infusion pumps. For device makers, maintaining the security of medical implants is not as simple as installing the most advanced encryption technology. Medical device implants must be built within narrow margins of heat, size, and space that put the patient’s life first. This balance between life and security presents challenges that are unique to the medical implant industry. Despite these limitations, there are steps that device makers can take to increase the security of their medical implants.
Design Security into Devices from the Start
Medical device makers have difficulty identifying new vulnerabilities, determining which threats are important to them, and allocating resources to develop mitigation strategies. However, with the increased threat of cyber-attack and scrutiny from Government agencies, device manufacturers must factor security into their development costs and schedules. This should begin early in the systems development lifecycle to ensure that security requirements are identified and communicated early. Companies that lack the internal resources to perform this can hire a third party to support threat modeling and requirements definition during development and manage continual compliance programs after deployment.
Enable Easy Patching
Many medical device implants were built using outdated or proprietary operating systems that are difficult to maintain. Furthermore, deploying fixes to implanted devices is often difficult since it can involve invasive surgery or introduce unforeseen errors that put a patient’s life at risk. Although health concerns will always be present, device makers can minimize risks by implementing a patch system that can be performed easily and without surgery.
Implement Forensic Tools
Current device configurations make it difficult for manufacturers or FDA auditors to determine whether incidents are caused by device errors or as the result of a malicious attack. Manufacturers can mitigate this by ensuring devices have proper logging to support incident analysis. At a minimum, devices should be able to record login and bad password attempts.
Design for Security not Compliance
In the past two years, the Federal Government has stepped up its investigations into medical device security. The Department of Homeland (DHS) Industrial Control Systems Cyber Emergency Response Team (IS-CERT) is investigating cases of suspected cyber security flaws in medical devices and hospital equipment. The U.S. Food and Drug Administration (FDA), which regulates the sale of medical devices, recently released guidelines to help manufacturers and healthcare providers better ensure medical device security. Although the guidelines are not law, the FDA reserves the right to reject a device that does not meet the guidance. For companies that have sunk years of development and millions of dollars into creating a medical device, this uncertainty over FDA approval can have a tremendous effect. SecureState recommends that device manufacturers do everything in their power to make devices secure, rather than attempting to meet the minimum compliance of nebulous guidelines. If manufacturers integrate security throughout the development cycle, than they will generally build a device that can meet regulatory requirements.