• Login
    • Join
  • FOLLOW:
  • Subscribe Free
    • Magazine
    • eNewsletter
    Checkout
    • Magazine
    • News
    • Opinions
    • Top 30
    • Research
    • Supply Chain
    • Device Sectors
    • Directory
    • Events
    • Resources
    • Microsites
    • More
  • Magazine
  • News
  • Opinions
  • Top 30
  • Research
  • Supply Chain
  • Device Sectors
  • Directory
  • Events
  • Resources
  • Microsites
  • Current / Back Issues
    Features
    Editorial
    Digital Edition
    eNewsletter Archive
    Our Team
    Editorial Guidelines
    Reprints
    Subscribe Now
    Advertise Now
    Top Features
    Pharmaceutical Focus: A Look at Combination Products

    The Printed World: Additive Manufacturing in Medtech

    The Lost Year: 2020 Year in Review

    Extrusion Evolution

    Little Big Parts: Micromolding Under the Microscope
    OEM News
    Supplier News
    Service / Press Releases
    Online Exclusives
    Press Releases
    People in the News
    Product & Service Releases
    Supplier News
    Medtech Makers
    Technical Features
    International News
    Videos
    Product & Service Releases
    Live From Shows
    Top News
    Optimize EP Launches CaRM Cardiac Device Data Management Platform

    U.S. TAVR Market Projected to Reach Nearly $5 Billion by 2030

    FDA Clears Canon Medical's Compressed SPEEDER for 3D Exams on 1.5T MR

    Cognito Therapeutics’ Lead Product Receives FDA Breakthrough Device Designation

    Moon Surgical Expands Leadership Team
    From the Editor
    Blogs
    Guest Opinions
    Top Opinions
    Pharmaceutical Focus: A Look at Combination Products

    The Printed World: Additive Manufacturing in Medtech

    The Lost Year: 2020 Year in Review

    Extrusion Evolution

    Little Big Parts: Micromolding Under the Microscope
    Top 30 Medical Device Companies
    Market Data
    White Papers
    Top Research
    Fixing Face Mask Form and Function

    The Heart of the Matter: Trends in Cardiology

    Virtually the Same? The Challenges of Online Conferences

    Digital Health Delivers During a Year for the Ages

    Advanced Technology for Staking and Swaging Medical Plastics
    3D/Additive Manufacturing
    Contract Manufacturing
    Electronics
    Machining & Laser Processing
    Materials
    Molding
    Packaging & Sterilization
    R&D & Design
    Software & IT
    Testing
    Tubing & Extrusion
    Cardiovascular
    Diagnostics
    Digital Health
    Neurological
    Patient Monitoring
    Surgical
    Orthopedics
    All Companies
    Categories
    Company Capabilities
    Add New Company
    Outsourcing Directory
    FUTEK Advanced Sensor Technology Inc.

    Qosina Corp.

    MW Life Sciences

    Unicep

    K-Tube Technologies
    MPO Summit
    Industry Events
    Webinars
    Live From Show Event
    Industry Associations
    Videos
    Career Central
    eBook
    Slideshows
    Top Resources
    Meeting Critical Ventilator Product Requirements Amid Pandemic

    Impact of COVID-19 on the Medtech Supply Chain

    Finding the Upside to a Challenging Year

    Preparing Your Design Controls for FDA Approval

    A 'Trial and Error' Approach to Micromolded Parts
    Companies
    News Releases
    Product Releases
    Press Releases
    Product Spec Sheets
    Service Releases
    Case Studies
    White Papers
    Brochures
    Videos
    Outsourcing Directory
    Creganna Medical, part of TE Connectivity

    Qosina Corp.

    Spectrum Plastics Group

    Medicoil

    Concise Engineering
    • Magazine
      • Current/Back Issues
      • Features
      • Editorial
      • Columns
      • Digital Editions
      • Subscribe Now
      • Advertise Now
    • News
    • Directory
      • All Companies
      • ALL CATEGORIES
      • Industry Associations
      • Company Capabilities
      • Add Your Company
    • Supply Chain
      • 3D/Additive Manufacturing
      • Contract Manufacturing
      • Electronics
      • Machining & Laser Processing
      • Materials
      • Molding
      • Packaging & Sterilization
      • R&D & Design
      • Software & IT
      • Testing
      • Tubing & Extrusion
    • Device Sectors
      • Cardiovascular
      • Diagnostics
      • Digital Health
      • Neurological
      • Patient Monitoring
      • Surgical
      • Orthopedics
    • Top 30 Company Report
    • Expert Insights
    • Slideshows
    • Videos
    • Podcasts
    • Resources
    • eBook
    • Infographics
    • Whitepapers
    • Research
      • White Papers
      • Case Studies
      • Product Spec Sheets
      • Market Data
    • MPO Summit
    • Events
      • Industry Events
      • Live From Show Events
      • Webinars
    • Microsite
      • Companies
      • Product Releases
      • Product Spec Sheets
      • Services
      • White Papers / Tech Papers
      • Press Releases
      • Videos
      • Literature / Brochures
      • Case Studies
    • About Us
      • About Us
      • Contact Us
      • Advertise with Us
      • eNewsletter Archive
      • Privacy Policy
      • Terms of Use
    Online Exclusives

    Security for Connected Medical Devices

    Why including the latest security protocols and technologies is an essential design task.

    Security for Connected Medical Devices
    Even though medical device manufacturers are heavily investing in the development of new medical device technologies, they often lack the security expertise and the technical resources to ensure that high levels of security are built into these solutions.
    Alan Grau, VP of IoT/Embedded Solutions, Sectigo02.18.20
    Every day, medical device manufacturers throughout the world race to develop new, highly sophisticated and increasingly connected products. These products offer a wide range of benefits: improved treatments, more precise diagnostics, better patient monitoring, automated control and central reporting, and monitoring of data. However, with increased functionality and connectivity, comes increased risk – dangers notable enough that the FDA in the U.S. has issued cybersecurity guidelines to help OEMs ensure medical devices are safe from cyberattacks.
     
    Even though medical device manufacturers are heavily investing in the development of new medical device technologies, they often lack the security expertise and the technical resources to ensure that high levels of security are built into these solutions. Many of these devices employ new protocols, platforms and middleware solutions that have not been thoroughly vetted for security issues. The result, not surprisingly, is the continued manufacturing of devices that are easily compromised by hackers. In turn, we continue to see headlines of new security vulnerabilities being discovered in critical medical devices.
     
    In addition, ransomware attacks have targeted hospitals and medical providers with alarming success. In these attacks, hackers compromise a system, encrypt critical data so the systems cannot operate, and then demand a ransom to restore the system to working order. In the past, ransomware attacks have targeted IT and database systems. Future attacks may focus on the medical devices themselves. If a hacker can control systems that impact patient outcomes, they will have tremendous additional leverage for their ransom demands.
     
    FDA Cybersecurity Guidelines
    A few of the capabilities recommended in the FDA guidelines include:
    • Restricting unauthorized access to medical devices.
    • Making certain that firewalls are up-to-date.
    • Monitoring network activity for unauthorized use.
    • Disabling all unnecessary ports and services.
     
    What do these guidelines mean for an engineer working on a medical device? 
     
    Many medical devices are specialized products—the security solutions used for standard PCs often won’t work for specialized devices. Clearly, meeting the security guidelines is important. Doing so requires an approach that is customized to the needs of the device.
     
    Use of multiple layers of protection, including firewalls, authentication, security protocols, and intrusion detection/intrusion prevention, is a long-established driving principle for enterprise security. In contrast, most medical devices, especially in-home and mobile devices, lack basic firewalls or security protocols, and often rely on little more than simple password authentication. For decades, device manufacturers assumed these devices were not attractive targets to hackers or were not vulnerable to attacks. That is no longer true. Attacks against all types of embedded devices, including medical products, are on the rise and greater security measures are now needed.
     
    For more than 25 years, cybersecurity has been a critical focus for large enterprises. Now medical device design engineers need to take a page from the enterprise security playbook.
     
    Vulnerabilities in Embedded Devices
    Before diving into the problem of how to secure connected medical devices, it is important to consider the origin of security vulnerabilities. Broadly speaking, most vulnerabilities in embedded devices can be divided into one of three categories: implementation vulnerabilities, deployment or use vulnerabilities, and design vulnerabilities. 
     
    Implementation vulnerabilities occur when coding errors result in a weakness that can be exploited during a cyberattack. The infamous, and seemingly immortal, buffer overflow attacks are the classic example of implementation vulnerabilities. Other examples include improperly seeding random number generators, which can result in the generation of security keys that are easy to guess. Adherence to software development processes such as the OWASP Secure Software Development Lifecycle or Microsoft’s Security Development Lifecycle and thorough testing processes help to address implementation vulnerabilities. 
     
    Deployment or use vulnerabilities relate to issues that are introduced by the user during the operation or installation of the device. These include issues such as not changing default passwords, using weak passwords, not enabling security features, etc.
     
    In contrast, design vulnerabilities are weaknesses that result from a failure to include proper security measures when developing the device. Examples of design vulnerabilities that have resulted in security breaches include use of hard-coded passwords, control interfaces with no user authentication, and use of communication protocols that send passwords and other sensitive information in the clear. Other less glaring examples include devices without secure boot or that allow unauthenticated remote firmware updates.
     
    Embedded Security Challenges
    Medical devices comprise a wildly diverse range of device types—from small to large, and from simple to complex. These are embedded devices, which differ greatly from standard PCs or other consumer devices. They are fixed-function devices specifically designed to perform a specialized task. Many of them use a specialized operating system such as VxWorks, FreeRTOS or INTEGRITY, or a stripped-down version of Linux. Installing new software on the system in the field either requires a specialized upgrade process or is simply not supported. In most cases, these devices are optimized to minimize processing cycles and memory usage and do not have the extra processing resources required to support traditional security mechanisms.
     
    As a result, standard PC security solutions won’t solve the challenges of embedded devices. In fact, given the specialized nature of embedded systems, Windows-based PC security solutions won’t even run on most embedded devices.
     
    Challenges for medical device security include:
    1. Critical functionality: Medical devices control life-enabling systems and manage sensitive data.  
    2. Replication: Once designed and built, medical devices are mass produced resulting in thousands to millions of identical devices. Once discovered by a bad actor, a successful attack against one of these devices can be replicated across all the devices.
    3. Security assumptions: Many medical device engineers have long assumed that their products are not targets for hackers and have not considered security a critical priority.
    4. Not easily patched: Most medical devices are not easily upgraded. Once they are deployed, they will only run the software that was originally installed at the factory, including any vulnerabilities.
    5. Long lifecycle: The lifecycle for medical devices may be as long as 10, 15, or even 20, years. Building a device that will stand up to the ever-evolving and increasing security requirements of the next two decades is a tremendous challenge.
    6. Beyond the perimeter: Medical devices may be deployed outside of the enterprise security perimeter, may be mobile, or may be deployed in home­s—environments lacking the protections found in a corporate environment.
    7. Obscure to users: There is no way for the end user to easily monitor, change, or update an embedded device’s security health.
     
    Cyberattacks and The Motivated Hacker
    The level of security required for a medical device varies depending upon the function of the device. Rather than asking if the device is secure, OEMs should be asking if the device is secure enough. For example, a robotic surgery system clearly needs a very different level of security than connected sensors for remote monitoring of patients.
     
    Hacking is not just the domain of bored teenagers, hacking drones, or even the small groups of motivated hackers. When the stakes are high enough, cyberattacks are multi-phased, multi-year efforts carried out by large, well-funded teams of hackers.
     
    We are no longer talking about protecting a device from just malformed IP packets or DoS packet floods. Hackers know how to research their targets—they often have detailed operating information on the device they are targeting and have sophisticated toolkits and skills that can be used to develop attacks. But how often have OEMs considered how to protect the device from attack from a group with detailed knowledge of the inner workings of their product?
     
    Security Requirements for Medical Devices
    A security solution for medical devices must protect firmware from tampering, secure the data stored by the device, secure communication, and protect the device from cyberattacks. This can only be achieved by building in security from the earliest stages of design.
     
    Unfortunately, there is no single one-size-fits-all security solution for medical devices. Engineers must take into consideration the cost of a security failure (economic, environmental, social, etc.), the risk of attack, available attack vectors, and the cost of implementing a security solution. 
     
    Features that need to be considered are:

     
     
    Integrating Security into The Device
    Building protection into the device itself provides a critical security layer that ensures devices are no longer depending on the corporate firewall as their sole layer of security and allows security to be customized to the needs of the device.
     
    The engineering team must be as focused on security as they are on the new capabilities of the device. Building these capabilities into a medical device will enable the device to meet the FDA security guidelines.

     
     
    Supply Chain Considerations
    Further adding to the complexity of developing secure medical devices are the challenges with a diverse supply chain. Medical devices include software and firmware from the chip vendors, RTOS vendors, middleware providers, and software vendors. Each of these components can potentially contain software flaws that could lead to security vulnerabilities. 
     
    In addition to ensuring proper security measures are built into the device, OEMs must impose secure development processes and monitoring of suppliers to prevent the introduction of vulnerabilities in firmware components. 
     
    Summary
    Today’s modern medical devices are complex connected computing devices that perform critical functions. Including the latest security protocols and technologies in these devices is an essential design task. Security features must be considered at the very beginning of the design process to ensure the device is protected from the numerous advanced cyber threats they will face.  
     

    Alan Grau has 30 years of experience in telecommunications and the embedded software marketplace. Grau joined Sectigo, a leading Certificate Authority and provider of purpose-built PKI management solutions, in May 2019 as part of the company’s acquisition of Icon Labs, where he was CTO and co-founder, as well as the architect of Icon Labs' award-winning Floodgate Firewall. He is a frequent industry speaker and blogger and holds multiple patents related to telecommunication and security. More info about cybersecurity and protecting the cloud can be found at https://www.sectigo.com.
    Related Searches
    • health
    • devices
    • Software
    • research
    Related Knowledge Center
    • Software & IT

    Related Online Exclusives

    • Software & IT
      Leveraging Virtual Technology for Customer Service and Support

      Leveraging Virtual Technology for Customer Service and Support

      VR/AR solutions enable contactless interactions with customers to address a variety of needs.
      Dijam Panigrahi, Co-Founder and COO, Grid Raster Inc. 12.02.20

    • Software & IT
      Medtech’s Path Toward Paperless, Patient-Centric Trials

      Medtech’s Path Toward Paperless, Patient-Centric Trials

      The “year of evaluating everything” represents a significant opportunity to modernize clinical research.
      Seth J. Goldenberg, Ph.D., Vice President, Vault Medical Device & Diagnostics; Kevin Liang, Ph.D., Sr. Director, Strategy, Medical Device and Diagnostics, Veeva Systems 11.18.20

    • Software & IT
      Adopting a Data-Driven Approach to Quality with an MDQMS

      Adopting a Data-Driven Approach to Quality with an MDQMS

      FlexLogical is making quality a competitive advantage through its software solution.
      Jon Speer, Founder and VP of QA/RA, Greenlight Guru 09.24.20


    • 3D/Additive Manufacturing | Software & IT
      4 Ways the IIoT Improves Medical Manufacturing

      4 Ways the IIoT Improves Medical Manufacturing

      The Industrial Internet of Things is expected to register annual growth of around 24 percent between now and 2023.
      Megan Ray Nichols, Science Writer; Editor, Schooled By Science 09.02.20

    • Software & IT
      Areas to Consider in Medical Device Risk Management

      Areas to Consider in Medical Device Risk Management

      How to ensure the production of safe and effective medical devices.
      Jon Speer, Founder and VP of QA/RA at Greenlight Guru 08.24.20

    • Software & IT
      Preparing Medtech Firms for Augmented and Virtual Reality

      Preparing Medtech Firms for Augmented and Virtual Reality

      AR/VR technologies can bring benefit to medtech firms, but implementing it can prove to be challenging.
      Dijam Panigrahi, Co-Founder and COO, Grid Raster Inc. 08.12.20


    • Digital Health | Software & IT
      How Is Digital Health Reviving Clinical Care During the COVID-19 Outbreak?

      How Is Digital Health Reviving Clinical Care During the COVID-19 Outbreak?

      Adoption of virtual care and telehealth applications has risen by nearly 158 percent in the U.S.
      Saloni Walimbe, Research Content Developer, Global Market Insights (GMI) 08.10.20

    • R&D & Design | Software & IT
      COVID-19 Marks a Need for Virtual Development Tech

      COVID-19 Marks a Need for Virtual Development Tech

      Medical device developers can gain benefits from the use of MR/AR, but challenges need to be addressed first.
      Dijam Panigrahi, Co-Founder and COO, Grid Raster Inc. 08.10.20

    • Software & IT
      A New Approach to Post-Market Surveillance

      A New Approach to Post-Market Surveillance

      Using a unified solution to improve overall product quality and patient safety.
      Carl Ning, Senior Director of Strategy, Veeva 07.13.20


    • Software & IT
      Agility Helps Core Technology Thrive in the COVID-19 Market

      Agility Helps Core Technology Thrive in the COVID-19 Market

      How one supplier was able to meet spikes in demand as many employees worked from home.
      Louis Columbus, Enterprise Software Strategist 06.18.20

    • Software & IT
      Avoiding the Ripple Effect of Bad Data: Humans and Machines

      Avoiding the Ripple Effect of Bad Data: Humans and Machines

      Part 3: Using process automation to reduce human error.
      Terrance Holbrook, Director of Product at MasterControl 06.17.20

    • Software & IT
      Avoiding the Ripple Effect of Bad Data: Systems and Data

      Avoiding the Ripple Effect of Bad Data: Systems and Data

      Part 2: Integrating disconnected data systems.
      Terrance Holbrook, Director of Product at MasterControl 06.17.20


    • Software & IT
      Avoiding the Ripple Effect of Bad Data: Quality and Manufacturing

      Avoiding the Ripple Effect of Bad Data: Quality and Manufacturing

      Part 1: Why going paperless is essential.
      Terrance Holbrook, Director of Product at MasterControl 06.17.20

    • Digital Health | Software & IT
      Vulnerabilities in Healthcare: 2020 MedTech Cyberchaos Overview

      Vulnerabilities in Healthcare: 2020 MedTech Cyberchaos Overview

      The current pandemic has hospitals using a variety of new technologies, some of which may not be safeguarded against digital attack.
      Ben Hartwig, Web Operations Executive, InfoTracer 05.05.20

    • Software & IT
      Exploring the Blockchain Option for Healthcare

      Exploring the Blockchain Option for Healthcare

      Discover how blockchain technology can enhance the healthcare sector through cost reduction, traceability, and security.
      Stepan Shablinsky, Lead Software Engineer, Mbicycle 04.30.20


    Trending
    • Meeting Critical Ventilator Product Requirements Amid Pandemic
    • STERIS To Buy Cantel Medical For $4.6B
    • Cytotron Gains Breakthrough Status To Treat Breast, Liver, And Pancreatic Cancers
    • Portable, Home-Use Device Quickly Measures Inflammation Levels
    • Medtech Matters: Talking Robotic Surgery With Zimmer Biomet
    Breaking News
    • Optimize EP Launches CaRM Cardiac Device Data Management Platform
    • U.S. TAVR Market Projected to Reach Nearly $5 Billion by 2030
    • FDA Clears Canon Medical's Compressed SPEEDER for 3D Exams on 1.5T MR
    • Cognito Therapeutics’ Lead Product Receives FDA Breakthrough Device Designation
    • Moon Surgical Expands Leadership Team
    View Breaking News >
    CURRENT ISSUE

    November/December 2020

    • Pharmaceutical Focus: A Look at Combination Products
    • The Printed World: Additive Manufacturing in Medtech
    • The Lost Year: 2020 Year in Review
    • View More >

    Cookies help us to provide you with an excellent service. By using our website, you declare yourself in agreement with our use of cookies.
    You can obtain detailed information about the use of cookies on our website by clicking on "More information”.

    • About Us
    • Privacy Policy
    • Terms And Conditions
    • Contact Us

    follow us

    Subscribe
    Nutraceuticals World

    Latest Breaking News From Nutraceuticals World

    Brown Fat Associated with Reductions in Chronic Disease Risk
    NIH Study Identifies Antibacterial Properties in Taurine
    NSF Begins New Certification Program
    Coatings World

    Latest Breaking News From Coatings World

    Zeppelin Acquires MTI Mischtechnik
    Ezio Braggio Joins ChemQuest Europe
    IFS Coatings Announce Carbon Offset Program
    Medical Product Outsourcing

    Latest Breaking News From Medical Product Outsourcing

    Optimize EP Launches CaRM Cardiac Device Data Management Platform
    U.S. TAVR Market Projected to Reach Nearly $5 Billion by 2030
    FDA Clears Canon Medical's Compressed SPEEDER for 3D Exams on 1.5T MR
    Contract Pharma

    Latest Breaking News From Contract Pharma

    KORSCH, MEDELPHARM Partner on R&D Equipment Portfolio
    Frontage Bolsters Clinical Services Capabilities
    Sanofi Unveils EUROAPI as Name of New European API Company
    Beauty Packaging

    Latest Breaking News From Beauty Packaging

    Neenah to Host Packaging Webinar for Printers
    W.S. Badger is Named a ‘150 Top Impact Company’
    Mana Products, Meiyume and RPG Form The Vertical Beauty Alliance
    Happi

    Latest Breaking News From Happi

    A Surge in Interest for Supplements & Vitamins
    What You're Reading on Happi.com
    Amyris Named a Top Social & Environmental Impact Company
    Ink World

    Latest Breaking News From Ink World

    dar-tech, inc. Becomes U.S. Midwestern Distributor for ZS Interpolymer
    Techkon USA, Konica Minolta Partner
    Alon Bar-Shany Appointed Chairman of Highcon Board
    Label & Narrow Web

    Latest Breaking News From Label & Narrow Web

    Exhibitor registration opens for virtual.drupa
    FTA planning in-person Forum & INFOFLEX
    Fortis Solutions Group achieves SGP certification
    Nonwovens Industry

    Latest Breaking News From Nonwovens Industry

    Shemesh Adds U.S. Headquarters
    TZMO USA, Special Needs Group Form Partnership
    BAHP Announces 2021 Officers, Board of Directors
    Orthopedic Design & Technology

    Latest Breaking News From Orthopedic Design & Technology

    Rapid Recovery Protocol Can Lead to Increased Range of Motion After TKA
    Boston Scientific Releases WaveWriter Alpha Spinal Cord Stimulators in U.S.
    New Chief Clinical Officer on Board at IncludeHealth
    Printed Electronics Now

    Latest Breaking News From Printed Electronics Now

    Roadsimple Modernizes Warehouse Ops with Zebra Technologies
    Toppan Announces 2050 Environmental Vision
    SOI Industry Consortium Joins SEMI as Strategic Association Partner

    Copyright © 2021 Rodman Media. All rights reserved. Use of this constitutes acceptance of our privacy policy The material on this site may not be reproduced, distributed, transmitted, or otherwise used, except with the prior written permission of Rodman Media.

    AD BLOCKER DETECTED

    Our website is made possible by displaying online advertisements to our visitors.
    Please consider supporting us by disabling your ad blocker.


    FREE SUBSCRIPTION Already a subscriber? Login