Strengthening Security for Connected Medical Devices

By Santhosh Nair

Santhosh Photo

Three years ago an article in the New England Journal of Medicine reported that computer hackers could gain wireless access to implanted pacemakers and shut them off, or reprogram defibrillators to deliver fatal jolts of electricity. This generated an avalanche of press worldwide about the hidden risks of medical devices, followed by requisite hand-wringing from politicians and promises of stiffer regulations. For this and other reasons, makers of medical devices have been steadily increasing their focus on security. They realize that the threat is far broader than a hacked ICD. Embedded software is part of everything from CT scanners to imaging systems to intensive-care ventilators. And the fact is, the rapid growth in the number, the intelligence, and the interconnectedness of medical devices has created an upward spiral in security threats. 

Just a few examples:

? Diagnostics, therapy, and imaging devices are connected in the Hospital Imaging System (HIS), and a vulnerability in any one device puts the entire HIS at higher risk.

? In the United States, hackers have been able to glean personal patient data by eavesdropping on signals from wireless radios embedded in implants. 

? Security experts are worried that hackers might go after the medical devices designed to deliver medicine. In 2010, Dr. Tadayoshi Kohno and William Maisel of the Cardiovascular Institute of Beth Israel Deaconess Medical Center in Boston called for the FDA to regulate and work with medical device manufacturers to stop potential security breaches in a wide range of wireless devices.

? In Australia, the computer dispatch system for an ambulance service was infected by a virus, forcing staff to shut it down. As a result, health officials had to revert to coordinating the state’s paramedics and ambulances via a manual paper-based system—putting lives at risk.

Equally alarming, security exploits are being perpetrated by a new breed of hackers. It’s not just smart kids trying to breach a firewall for sport anymore. Professional, well-funded groups—including organized crime, government agencies, and terrorist cells—are attempting to crack into secure networks, access sensitive information, and alter the behavior of critical systems, causing physical harm to equipment and potentially putting lives at risk.

These security concerns have resulted in the formation of the Medical Device Innovation, Safety and Security Consortium (MDISS), a non-profit organization created earlier this year which aims to advance computer risk management practices.  The consortium is focused on optimizing the relationship between the quality of healthcare and the process of assessing and ensuring that devices and systems are secure.

For the developers of medical devices, two things have become crystal clear: first, tackling the emerging security challenges is an urgent imperative; and second, solving security issues can create significant competitive advantages. 

That is why medical device developers are now taking a more holistic approach to device security. Development teams are considering security issues at every layer of the development stack: the hardware platform, the virtualization technology, the operating system, the network stack or other communications middleware, the packets of data being sent across the network, and the applications.

By taking a platform perspective to security, and by harnessing the efficiencies of cyber-security-certified components, medical device developers can cut development costs and timeframes while actually decreasing overall security risks. That signals more than a paradigm shift for embedded developers—it’s a true transformation that will result in more secure medical devices and stronger financial results for development firms and the healthcare industry.