Daniel Miessler, Director of Advisory Services for IOActive (An ICIT Fellow)06.07.16
If you follow information security news to any degree you’ve likely seen numerous stories about vulnerabilities in medical devices and other medical infrastructure.
Mike Ahmadi and Billy Rios are two security researchers who recently found 1,418 vulnerabilities in the CareFusion Pyxis SupplyStation system. The product is a drug cabinet that secures and allows access to controlled substances. Previously, flaws were found in the Hospira PCA3 drug infusion pump that allowed attackers to potentially change the drug or dosage being administered through the device.
In both cases, and many more that we’re seeing in the news, the implications to patient health are quite clear: if you can’t get the care you need because infrastructure is unavailable, or if the integrity of the substances being delivered is compromised, we quickly leave the realm of information security and technology, and enter the more serious world of safety.
This transition is significant, and there are many areas of national and global infrastructure that will face similar challenges. Medical device infrastructure is absolutely part of this.
How the CIA Triad Applies to Cyber-Physical Safety
In the information security world there is something known as the CIA Triad, which stands for Confidentiality, Integrity, and Availability. Confidentiality relates to sensitive data being stolen, Integrity has to do with something important being modified without authorization, and Availability deals with ensuring that the system is able to perform its function.
The key thing to understand here is that all three of these components apply to the medical device security conversation.
What We Can Expect for Medical Device Security
Based on this clear link between cyber and safety, and the fact that the delivery of medical services is a core component of any society’s infrastructure, we can expect to see the following events in coming months and years.
The United States government has already begun exploring the creation and enforcement of standards for critical technology infrastructure, including in the medical space, and we can expect this trend to continue.
We expect to see a combination of forces bringing increased standardization to the building and deployment of medical devices:
Given the number of vulnerabilities that have been disclosed so far, we can expect to see a significant number of additional vulnerabilities to be disclosed in medical devices, up to and including critical issues.
Given the number of vulnerabilities that are likely present throughout our medical device infrastructure, it is reasonable to expect that a number of real-world incidents are likely to occur before security becomes a mature and properly integrated component of medical device development and implementation.
Summary
Mike Ahmadi and Billy Rios are two security researchers who recently found 1,418 vulnerabilities in the CareFusion Pyxis SupplyStation system. The product is a drug cabinet that secures and allows access to controlled substances. Previously, flaws were found in the Hospira PCA3 drug infusion pump that allowed attackers to potentially change the drug or dosage being administered through the device.
In both cases, and many more that we’re seeing in the news, the implications to patient health are quite clear: if you can’t get the care you need because infrastructure is unavailable, or if the integrity of the substances being delivered is compromised, we quickly leave the realm of information security and technology, and enter the more serious world of safety.
This transition is significant, and there are many areas of national and global infrastructure that will face similar challenges. Medical device infrastructure is absolutely part of this.
How the CIA Triad Applies to Cyber-Physical Safety
In the information security world there is something known as the CIA Triad, which stands for Confidentiality, Integrity, and Availability. Confidentiality relates to sensitive data being stolen, Integrity has to do with something important being modified without authorization, and Availability deals with ensuring that the system is able to perform its function.
The key thing to understand here is that all three of these components apply to the medical device security conversation.
- Attacks against Confidentiality can yield sensitive patient data.
- Attacks against Integrity can mean patients can receive the wrong care, resulting in harm.
- Attacks against Availability can prevent patients from receiving the care they need, resulting in harm.
What We Can Expect for Medical Device Security
Based on this clear link between cyber and safety, and the fact that the delivery of medical services is a core component of any society’s infrastructure, we can expect to see the following events in coming months and years.
The United States government has already begun exploring the creation and enforcement of standards for critical technology infrastructure, including in the medical space, and we can expect this trend to continue.
We expect to see a combination of forces bringing increased standardization to the building and deployment of medical devices:
- Government regulations will come into effect that require security in various portions of the supply chain and implementation
- As incidents become more prevalent and public, consumer scrutiny and awareness will become a factor in encouraging manufacturers and hospitals to be more secure (and to be vocal about the fact that they are)
- The market in general will push security to the forefront of not only manufacturer priorities, but also hospital administrations.
Given the number of vulnerabilities that have been disclosed so far, we can expect to see a significant number of additional vulnerabilities to be disclosed in medical devices, up to and including critical issues.
Given the number of vulnerabilities that are likely present throughout our medical device infrastructure, it is reasonable to expect that a number of real-world incidents are likely to occur before security becomes a mature and properly integrated component of medical device development and implementation.
Summary
- Medical devices bridge the gap between cybersecurity and safety.
- Safety issues related to medical devices can come in the form of attacks against both Integrity and Availability.
- Expect to see increased pressure towards medical security coming from both the government and the market.
- Expect to see far more vulnerabilities disclosed.
- Expect to see more real-world incidents, up to and including the loss of human life, due to the number of vulnerabilities and the years it will take to address the problem.