Complexity Conundrum: New Threats to Medical Device Security
With increasing software sophistication and complexity, are security vulnerabilities an inevitability? We spoke with Arnab Ray, Senior Research Scientist at the Franuhofer Center about the issues surrounding device security and how the will effect companies in the coming years.
Clarke: Arnab, at the Software Design for Medical Devices conference you're going to be speaking on the topic of device security. What do you think are the current threats to device security and how will that change in the future?
Ray: Currently the most focus on device security has been on wireless communication. So many devices are remotely controlled by a remote control, and most of the attacks that have been demonstrated have essentially been hacking into – and I use the word hacking in a very loose, popular sense – that link between the wireless controller and the device. As an example, if you have a pacemaker installed, the pacemaker is controlled by kind of a remote control from outside, but if you are able to tamper with the communication and send something which induces a fatal heart rhythm inside the heart, then you've done something really bad. Most of the focus has been on the wireless communication. Now, while I absolutely understand that is a major attack surface, there are other attack surfaces that just receive lesser attention. Personally, based on the work that I have done for a medical device manufacturer it's sometimes the other even easier ones that are ignored.
For instance, most devices nowadays have a USB. This is many devices; many homecare devices have USB connections to a laptop. People want to be able to import or export their data or change settings on their device through a desktop, because it's much more convenient to do it through a desktop than to do it on a small screen on a device. Now, the problem is the moment you connect your device to a laptop which is connected to the Internet – and God knows what else you do on that machine – you're effectively connecting your device to the Internet, and it can be detected from outside that this particular device is now connected to this machine if somebody's compromised your machine. This opens up a whole new ecosystem of attacks, which can be remotely executed over the Internet on your device and which are the most difficult because the attacker will leave no trace. We have shown to a device manufacturer how their device could actually be compromised through the Internet.
This problem is going to become more and more of a problem because nowadays we are moving from the single device to a network of devices paradigm, which means the devices will be expected to connect to other devices, and so you cannot trust other nodes on this network, and it will be asked to connect with the central infrastructure in the hospital and that central infrastructure itself might already have been compromised. That means that every device has to consider two things: that it could be talking to another device, which is compromised, or it could be talking to a centralised infrastructure which could be compromised so it itself can be compromised. This means that an enormous layer of security engineering now needs to go on devices, and this thing wasn't there before, because devices were never really meant to talk to anybody else.
Clarke: How real do you currently believe this threat is and how can companies take account of this?
Ray: One of the sentiments I've often encountered when I make this presentation, somebody will come up to me and ask, wait, has this ever really happened in real life or is this just demonstrated in labs and by security researchers? My answer to them is well, here's the thing; no, it's never been seen in the real world, at least this hacking into wireless hasn't been demonstrated in real life. There's never been an incident. There have been incidences of data breaches, of course, on IT systems that hold medical data. The thing is – and this is where it's really, really worrisome – is that if you have a successful intrusion into a medical device, and you're actually able to trigger something bad it will not be manifested as an attack; it will be manifested as a safety defect. It's not possible for us to even know whether an attack has happened or not, because unlike an IT system which has things like logs, which have intrusion detection systems, there's nothing like that on a device. Intrusions will never be detected and recorded, so there might have been intrusions into devices but we will never know because they're not engineered. We wouldn't detect the fact that an intrusion has taken place, far less to prevent it.
Clarke: How do you think regulators will deal with this threat and how can the industry work with regulators to design effective legislation?
Ray: Right now, the Food and Drug Administration a few months ago came up with a guidance document on cybersecurity for medical devices and for connected medical devices. There's a lot of activity currently on it with regulators as well as industry to come up with standards and guidance documents to come up with a New Age 14971, which would deal with risk management in the face of security. Right now, risk management is primarily thought of in terms of safety, but now it has to have security in it. I'm hoping that within the next one or two years, there will be very specific medical device standards. One thing that I would want to stress, over here many people think why is medical device security such a concern? Isn't computer security... hasn't that been a domain for study for the last 20, 30 years? What's new about medical device security which makes it so different?
Well, what makes medical device security so different from other kinds of security is that a computer is not a safety system. For instance, if you're using Gmail, and you lose your password the worst that can happen is you lose access to your email, or it takes a day for you to get it back. In medical devices, you cannot do that. The security countermeasures that you've put cannot compromise your service, so that means that the security countermeasures and the whole notion of security has to be much more subtle and much less obtrusive than it is in the normal IT systems we use, because none of them are critically linked to our personal wellbeing in the sense that medical devices are. So that makes the whole commotion... and I can give you another example. For instance, one simple solution to everything is encrypt the data. Yes, that's a good solution, but guess what? If the thing which is doing the encryption is actually implanted inside your body or it's attached to your skin in the process of encryption big CPU cycles, which means health is being generated. Now normally we don't are for heat for a laptop or for a desktop, but trust me; if there's something on your skin or inside your body, you do want to care about the heat that's being generated. All these issues about medical devices which make it very, very difficult to actually add security on top of it without hampering or inhibiting its safety or efficacy, and that's where the research challenge is.
Clarke: Are security threats just going to be inevitable with increasing device sophistication and with this increasing sophistication does that mean that cybersecurity is going to cost increasingly more?
Ray: Yes, cybersecurity is going to cost increasingly more, and as you said the more complex you make software... and the basic principle of security is the attacker has to understand some behaviour of your system that you haven't understood properly, and that's the basic principle of security vulnerability. There's something about the operation of the software that you didn't think about that the attacker has thought about. So the more complex the software system becomes, the more such lacking in understanding exists. That's inevitable. The scope, the surface of vulnerabilities is going to keep on increasing as we go on, and of course in terms of the cost of maintaining security, that's obviously going to go up. But it is inevitable because that's exactly what the market wants. Patients now want devices to talk to each other; hospitals want devices to talk to each other, and manufacturers have to go down this path.
Clarke: I'm almost hesitant to stop on that gloomy note, but I'm sure we can hear much more from you at the Software Design for Medical Devices event.
Ray: Absolutely. I talked about the problems; there I'll talk about the solutions.
Clarke: If you would like to find out more about this topic and the Software Design for Medical Devices Europe conference in January 27-30 in Munich, Germany, visit us at www.sdmdeurope.com.
Please note that we do all we can to ensure accuracy within the translation to word of audio interviews but that errors may still understandably occur in some cases. If you believe that a serious inaccuracy has been made within the text, please contact +44 (0) 207 368 9482 or email firstname.lastname@example.org