Medical-Device Flaws Will Take Time To HealManufacturers are slow to patch up security issues, despite increasing pressure from patients, researchers and federal agencies
Jay Radcliffe takes medical-device security personally.
As a senior security analyst for security firm InGuardians, Radcliffe is frequently called upon to give advice on how best to secure medical systems. Radcliffe is also a diabetic and a user of a portable insulin pump. He became interested in medical device security when he discovered that his current pump had a significant safety issue: Replacing the batteries resets the pump, causing data on how much insulin a user has administered to be lost.
At the Black Hat USA security conference last week, the security consultant discussed the vulnerabilities that frequently plague medical devices and systems, despite the U.S. Food and Drug Administration's guidance that manufacturers investigate and fix risks to their devices and systems.
"It caused me to have low blood sugar two times, which is a very dangerous condition," Radcliffe says. "I reported that to the FDA, and the vendor very kindly told me that they have no plans to change it."
Problems with medical devices and systems are garnering more attention. University researchers are investigating how widespread such vulnerabilities are and how manufacturers could better fix them. In June 2013, the FDA issued an alert to medical-device makers that they are now responsible for securing their devices against attacks from malware and malicious actors.
[The Food and Drug Administration warns that patient health could be threatened by the introduction of malware into medical equipment or unauthorized access to configuration settings in medical devices and hospital networks. See Medical Devices Subject To Cyberattack, FDA Warns.]
"The FDA is recommending that medical device manufacturers and health care facilities take steps to assure that appropriate safeguards are in place to reduce the risk of failure due to cyberattack, which could be initiated by the introduction of malware into the medical equipment or unauthorized access to configuration settings in medical devices and hospital networks," the agency stated in the alert.
Medical devices and systems require slightly different approaches to their security. Implantable and wearable medical devices are the most worrisome, because any attack on the device can affect the health of the user. Many modern pacemakers, defibrillators, and insulin pumps allow wireless control to let doctors, medical technicians, and the user to fine tune the device, and that brings risk.
Implantable devices have to have a much more in-depth development process, says John Pescatore, director at the SANS Institute, an information-technology training organization.
"They are like the space shuttle," he says. "You got to pay extra to make sure it's really, really secure and that's why space-shuttle software is really expensive. It's really expensive to update the thing when it is 400,000 miles away, and similarly when it's implanted."
Like SCADA systems, the devices have typically been created to be reliable and do what they are supposed to do, not withstand malicious attackers.
On the other hand, medical machinery is typically connected to a network and has to fend off generic malicious threats, such as the Blaster worm or Conficker. While the focus on large systems, such as MRI machines and x-ray scanners, has typically been to make them reliable, manufacturers have increasingly worked to make them more secure, because the systems are typically connected to hospital networks and encounter any threat on the network.
"Hospitals are now starting to ask, 'How do we do safety so that people cannot change the software in the machine to do something nasty--whether it is malware or a person,'" says Pescatore.
While a medical machine that becomes infected with a virus may not hurt the patient, such machines are huge money-makers for hospitals, so the administrators want to minimize downtime, Pescatore says. For that reason, IT has increasingly begun managing the information technology that controls the systems, requiring more security and better updatability.
In the end, medical manufacturers have to become more sophisticated in their software development. Most companies have not done static analysis, used signed updates, or secured data using a well-vetted encryption software, says Shane Clark, a graduate student in computer science at University of Massachussetts at Amherst and an author of a number of papers on medical-device security.
"Just adopting the Microsoft Secure Development Lifecycle would be a step in the right direction for a lot of these companies," he says.
In a paper to be presented later this month, Clark and his colleagues are investigating the use of power analysis to detect malware in medical machines. Virus infections generally cause machines to perform unexpected tasks, and thus require more power, he says.
Pressure from the U.S. Food and Drug Administration will help put companies on track, but presentations like Radcliffe's talk at Black Hat will likely have a greater impact, because the companies want to do the right thing, Clark says.
Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.
Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline ... View Full Bio