Seven key practices for ensuring medical device and IoT security
As connected medical devices become more powerful and widely adopted, they’ve also become bigger targets for bad actors. Whether using hospital devices to break into facility networks to steal sensitive data or taking over an implantable device to do physical harm to a patient, the various ways to achieve these malicious goals continue to grow exponentially. If device manufacturers and healthcare organizations are to protect patients from a privacy standpoint and physically safe, they're going to need to more fully address cybersecurity.
While there’s no silver bullet solution, action needs to be taken for the sake of patients and medical facilities alike. Here, Rusty Carter, vice president of product management at Arxan Technologies, an application software security provider with expertise in mobile and connected medical device security, outlines seven of the most important steps to be taken to ensure patient and hospital safety in 2018.
1. Build a secure development lifecycle
First and foremost, the development lifecycle needs to promote security by design. Manufacturers who establish good coding practices that include comprehensive security evaluation and testing throughout the cycle can build a product that, once protected from reverse-engineering and tampering through “app shielding,” will deliver the most difficult defenses to compromise.
2. Make devices tamper proof
Particularly important for personal medical devices readily available on the market, tamper-proofing must be baked in from the very beginning. When vulnerabilities were found in Abbott (formerly St. Jude Medical) home pacemakers, security researchers discovered that the devices didn't implement some of the most basic security protocols. For example, the software binary code was completely unencrypted, and it used an unauthorized and unencrypted radio frequency protocol, making man-in-the-middle attacks easy to execute for those in close proximity to a person implanted with such a device. These encryption and authentication problems were combined with two other vulnerabilities that only added fuel to the fire.
3. Focus on encryption
Encryption of sensitive data and communications is the most obvious way to improve medical device security. But poorly executed encryption is almost as bad as none at all, so it will take careful implementation of solid cryptography, including key protection and password/data storage practices.
4. Listen to the security research community
Rather than thanking security researchers when they disclose medical device vulnerabilities, organizations are more likely to try to bury the bad news of poor security implementations. The problem is that this never addresses the root problem, and the likelihood is high that the next time around, it might not be the white hat hackers who find the flaws. Manufacturers would be best served to establish not only official security disclosure procedures, but even consider developing bug bounty programs through which they pay independent researchers to bring them valuable details about critical vulnerabilities they find in the manufacturer's devices.
5. Improve practices for post-market software updates and configurations
Medical facilities need manufacturers to untie their hands when it comes to instituting security best practices on machines that will go on their networks or in patients' bodies. This means creating more rational software update procedures for devices and giving users greater control over how devices are configured. The days of unchangeable hard-coded passwords need to end.
6. Obtain certifications beyond FDA requirements
Device manufacturers across the board benefit from finding software technology partners that can demonstrate their commitment to quality through established and consistent policies, practices and procedures for the entire product suite, beyond what the FDA requires. One such certification is the ISO 13485, an internationally recognized quality management system standard for medical devices developed by the International Organization for Standardization. The standard represents an international consensus on good management practices, policies and procedures with the aim of ensuring that organizations can consistently deliver products or services that meet the customer’s quality requirements.
7. Check OWASP for top vulnerabilities
It’s crucial to stay connected to industry peers and up-to-speed on the latest vulnerabilities and best practices for embedded application security. The Open Web Application Security Project (OWASP) is a nonprofit organization focused on improving the security of software, and is highly regarded within the security industry. Organizations that are serious about improving security should keep OWASP embedded security guidance in mind throughout the secure development lifecycle.