• Login
    • Join
  • FOLLOW:
  • Subscribe Free
    • Magazine
    • eNewsletter
    Checkout
    • Magazine
    • News
    • Opinions
    • Top 30
    • Research
    • Supply Chain
    • Device Sectors
    • Directory
    • Events
    • Resources
    • Microsites
    • More
  • Magazine
  • News
  • Opinions
  • Top 30
  • Research
  • Supply Chain
  • Device Sectors
  • Directory
  • Events
  • Resources
  • Microsites
  • Current / Back Issues
    Features
    Editorial
    Digital Edition
    eNewsletter Archive
    Our Team
    Editorial Guidelines
    Reprints
    Subscribe Now
    Advertise Now
    Top Features
    Deep (Brain) Thoughts with Medtronic's Neuromodulation President

    Grab and Go: Examining the Thrombectomy Device Market

    Fine Print: A Discourse on Additive Manufacturing

    MPO's 2022 Medtech Industry Year in Review

    Micro Molding for Medtech Is Miniature Magic
    OEM News
    Supplier News
    Service / Press Releases
    Online Exclusives
    Press Releases
    People in the News
    Product & Service Releases
    Supplier News
    Medtech Makers
    Technical Features
    International News
    Videos
    Product & Service Releases
    Live From Shows
    Regulatory
    Financial/Business
    Top News
    MPO's Most-Read Stories This Week—Jan. 28

    Alleviant Medical Closes $75M Financing Round

    Know Labs Founder Ron Erickson Named CEO

    Getinge's Recall of Cardiosave Hybrid and Rescue IABPs is Class I

    FDA OKs Tidepool Loop App Connecting CGMs, Insulin Pumps
    From the Editor
    Blogs
    Guest Opinions
    Top Opinions
    Deep (Brain) Thoughts with Medtronic's Neuromodulation President

    Grab and Go: Examining the Thrombectomy Device Market

    Fine Print: A Discourse on Additive Manufacturing

    MPO's 2022 Medtech Industry Year in Review

    Micro Molding for Medtech Is Miniature Magic
    Top 30 Medical Device Companies
    Market Data
    White Papers
    Top Research
    Reflections on 2022 and What’s Ahead for Medtech: MPO Sounding Board

    3 Ways to Prepare for ISO 13485/Part 820 Harmonization

    A New Home for Theranos' Elizabeth Holmes?

    Health Cost Drivers for Large Employers

    Braving Change: Facing Fears in the Midst of Major Transitions
    3D/Additive Manufacturing
    Contract Manufacturing
    Electronics
    Machining & Laser Processing
    Materials
    Molding
    Packaging & Sterilization
    R&D & Design
    Software & IT
    Testing
    Tubing & Extrusion
    Cardiovascular
    Diagnostics
    Digital Health
    Neurological
    Patient Monitoring
    Surgical
    Orthopedics
    All Companies
    Categories
    Company Capabilities
    Add New Company
    Outsourcing Directory
    NDH Medical Inc.

    Arthur G. Russell Co. Inc., The

    Halkey-Roberts Corporation

    Medbio LLC

    JBC Technologies
    MPO Summit
    Industry Events
    Webinars
    Live From Show Event
    Industry Associations
    Videos
    Career Central
    eBook
    Slideshows
    Top Resources
    How Artificial Intelligence Can Combat Key Issues Impacting Healthcare

    Why Advanced Sensors Are Crucial Within Medical Pumps

    How Artificial Intelligence Could Help Prevent 80% of Chronic Diseases

    4 Ways to Use Injection Molding in Medical Device Manufacturing

    Telemedicine and Connectivity to Drive Material Innovation in the Near Future
    Companies
    News Releases
    Product Releases
    Press Releases
    Product Spec Sheets
    Service Releases
    Case Studies
    White Papers
    Brochures
    Videos
    Outsourcing Directory
    NDH Medical Inc.

    Arthur G. Russell Co. Inc., The

    Halkey-Roberts Corporation

    Medbio LLC

    JBC Technologies
    • Magazine
      • Current/Back Issues
      • Features
      • Editorial
      • Columns
      • Digital Editions
      • Subscribe Now
      • Advertise Now
    • News
    • Directory
      • All Companies
      • ALL CATEGORIES
      • Industry Associations
      • Company Capabilities
      • Add Your Company
    • Supply Chain
      • 3D/Additive Manufacturing
      • Contract Manufacturing
      • Electronics
      • Machining & Laser Processing
      • Materials
      • Molding
      • Packaging & Sterilization
      • R&D & Design
      • Software & IT
      • Testing
      • Tubing & Extrusion
    • Device Sectors
      • Cardiovascular
      • Diagnostics
      • Digital Health
      • Neurological
      • Patient Monitoring
      • Surgical
      • Orthopedics
    • Top 30 Company Report
    • Expert Insights
    • Slideshows
    • Videos
    • eBook
    • Resources
    • Podcasts
    • Infographics
    • Whitepapers
    • Research
      • White Papers
      • Case Studies
      • Product Spec Sheets
      • Market Data
    • MPO Summit
    • Events
      • Industry Events
      • Live From Show Events
      • Webinars
    • Microsite
      • Companies
      • Product Releases
      • Product Spec Sheets
      • Services
      • White Papers / Tech Papers
      • Press Releases
      • Videos
      • Literature / Brochures
      • Case Studies
    • About Us
      • About Us
      • Contact Us
      • Advertise with Us
      • eNewsletter Archive
      • Privacy Policy
      • Terms of Use
    Online Exclusives

    Security for Connected Medical Devices

    Why including the latest security protocols and technologies is an essential design task.

    Security for Connected Medical Devices
    Even though medical device manufacturers are heavily investing in the development of new medical device technologies, they often lack the security expertise and the technical resources to ensure that high levels of security are built into these solutions.
    Alan Grau, VP of IoT/Embedded Solutions, Sectigo02.18.20
    Every day, medical device manufacturers throughout the world race to develop new, highly sophisticated and increasingly connected products. These products offer a wide range of benefits: improved treatments, more precise diagnostics, better patient monitoring, automated control and central reporting, and monitoring of data. However, with increased functionality and connectivity, comes increased risk – dangers notable enough that the FDA in the U.S. has issued cybersecurity guidelines to help OEMs ensure medical devices are safe from cyberattacks.
     
    Even though medical device manufacturers are heavily investing in the development of new medical device technologies, they often lack the security expertise and the technical resources to ensure that high levels of security are built into these solutions. Many of these devices employ new protocols, platforms and middleware solutions that have not been thoroughly vetted for security issues. The result, not surprisingly, is the continued manufacturing of devices that are easily compromised by hackers. In turn, we continue to see headlines of new security vulnerabilities being discovered in critical medical devices.
     
    In addition, ransomware attacks have targeted hospitals and medical providers with alarming success. In these attacks, hackers compromise a system, encrypt critical data so the systems cannot operate, and then demand a ransom to restore the system to working order. In the past, ransomware attacks have targeted IT and database systems. Future attacks may focus on the medical devices themselves. If a hacker can control systems that impact patient outcomes, they will have tremendous additional leverage for their ransom demands.
     
    FDA Cybersecurity Guidelines
    A few of the capabilities recommended in the FDA guidelines include:
    • Restricting unauthorized access to medical devices.
    • Making certain that firewalls are up-to-date.
    • Monitoring network activity for unauthorized use.
    • Disabling all unnecessary ports and services.
     
    What do these guidelines mean for an engineer working on a medical device? 
     
    Many medical devices are specialized products—the security solutions used for standard PCs often won’t work for specialized devices. Clearly, meeting the security guidelines is important. Doing so requires an approach that is customized to the needs of the device.
     
    Use of multiple layers of protection, including firewalls, authentication, security protocols, and intrusion detection/intrusion prevention, is a long-established driving principle for enterprise security. In contrast, most medical devices, especially in-home and mobile devices, lack basic firewalls or security protocols, and often rely on little more than simple password authentication. For decades, device manufacturers assumed these devices were not attractive targets to hackers or were not vulnerable to attacks. That is no longer true. Attacks against all types of embedded devices, including medical products, are on the rise and greater security measures are now needed.
     
    For more than 25 years, cybersecurity has been a critical focus for large enterprises. Now medical device design engineers need to take a page from the enterprise security playbook.
     
    Vulnerabilities in Embedded Devices
    Before diving into the problem of how to secure connected medical devices, it is important to consider the origin of security vulnerabilities. Broadly speaking, most vulnerabilities in embedded devices can be divided into one of three categories: implementation vulnerabilities, deployment or use vulnerabilities, and design vulnerabilities. 
     
    Implementation vulnerabilities occur when coding errors result in a weakness that can be exploited during a cyberattack. The infamous, and seemingly immortal, buffer overflow attacks are the classic example of implementation vulnerabilities. Other examples include improperly seeding random number generators, which can result in the generation of security keys that are easy to guess. Adherence to software development processes such as the OWASP Secure Software Development Lifecycle or Microsoft’s Security Development Lifecycle and thorough testing processes help to address implementation vulnerabilities. 
     
    Deployment or use vulnerabilities relate to issues that are introduced by the user during the operation or installation of the device. These include issues such as not changing default passwords, using weak passwords, not enabling security features, etc.
     
    In contrast, design vulnerabilities are weaknesses that result from a failure to include proper security measures when developing the device. Examples of design vulnerabilities that have resulted in security breaches include use of hard-coded passwords, control interfaces with no user authentication, and use of communication protocols that send passwords and other sensitive information in the clear. Other less glaring examples include devices without secure boot or that allow unauthenticated remote firmware updates.
     
    Embedded Security Challenges
    Medical devices comprise a wildly diverse range of device types—from small to large, and from simple to complex. These are embedded devices, which differ greatly from standard PCs or other consumer devices. They are fixed-function devices specifically designed to perform a specialized task. Many of them use a specialized operating system such as VxWorks, FreeRTOS or INTEGRITY, or a stripped-down version of Linux. Installing new software on the system in the field either requires a specialized upgrade process or is simply not supported. In most cases, these devices are optimized to minimize processing cycles and memory usage and do not have the extra processing resources required to support traditional security mechanisms.
     
    As a result, standard PC security solutions won’t solve the challenges of embedded devices. In fact, given the specialized nature of embedded systems, Windows-based PC security solutions won’t even run on most embedded devices.
     
    Challenges for medical device security include:
    1. Critical functionality: Medical devices control life-enabling systems and manage sensitive data.  
    2. Replication: Once designed and built, medical devices are mass produced resulting in thousands to millions of identical devices. Once discovered by a bad actor, a successful attack against one of these devices can be replicated across all the devices.
    3. Security assumptions: Many medical device engineers have long assumed that their products are not targets for hackers and have not considered security a critical priority.
    4. Not easily patched: Most medical devices are not easily upgraded. Once they are deployed, they will only run the software that was originally installed at the factory, including any vulnerabilities.
    5. Long lifecycle: The lifecycle for medical devices may be as long as 10, 15, or even 20, years. Building a device that will stand up to the ever-evolving and increasing security requirements of the next two decades is a tremendous challenge.
    6. Beyond the perimeter: Medical devices may be deployed outside of the enterprise security perimeter, may be mobile, or may be deployed in home­s—environments lacking the protections found in a corporate environment.
    7. Obscure to users: There is no way for the end user to easily monitor, change, or update an embedded device’s security health.
     
    Cyberattacks and The Motivated Hacker
    The level of security required for a medical device varies depending upon the function of the device. Rather than asking if the device is secure, OEMs should be asking if the device is secure enough. For example, a robotic surgery system clearly needs a very different level of security than connected sensors for remote monitoring of patients.
     
    Hacking is not just the domain of bored teenagers, hacking drones, or even the small groups of motivated hackers. When the stakes are high enough, cyberattacks are multi-phased, multi-year efforts carried out by large, well-funded teams of hackers.
     
    We are no longer talking about protecting a device from just malformed IP packets or DoS packet floods. Hackers know how to research their targets—they often have detailed operating information on the device they are targeting and have sophisticated toolkits and skills that can be used to develop attacks. But how often have OEMs considered how to protect the device from attack from a group with detailed knowledge of the inner workings of their product?
     
    Security Requirements for Medical Devices
    A security solution for medical devices must protect firmware from tampering, secure the data stored by the device, secure communication, and protect the device from cyberattacks. This can only be achieved by building in security from the earliest stages of design.
     
    Unfortunately, there is no single one-size-fits-all security solution for medical devices. Engineers must take into consideration the cost of a security failure (economic, environmental, social, etc.), the risk of attack, available attack vectors, and the cost of implementing a security solution. 
     
    Features that need to be considered are:

     
     
    Integrating Security into The Device
    Building protection into the device itself provides a critical security layer that ensures devices are no longer depending on the corporate firewall as their sole layer of security and allows security to be customized to the needs of the device.
     
    The engineering team must be as focused on security as they are on the new capabilities of the device. Building these capabilities into a medical device will enable the device to meet the FDA security guidelines.

     
     
    Supply Chain Considerations
    Further adding to the complexity of developing secure medical devices are the challenges with a diverse supply chain. Medical devices include software and firmware from the chip vendors, RTOS vendors, middleware providers, and software vendors. Each of these components can potentially contain software flaws that could lead to security vulnerabilities. 
     
    In addition to ensuring proper security measures are built into the device, OEMs must impose secure development processes and monitoring of suppliers to prevent the introduction of vulnerabilities in firmware components. 
     
    Summary
    Today’s modern medical devices are complex connected computing devices that perform critical functions. Including the latest security protocols and technologies in these devices is an essential design task. Security features must be considered at the very beginning of the design process to ensure the device is protected from the numerous advanced cyber threats they will face.  
     

    Alan Grau has 30 years of experience in telecommunications and the embedded software marketplace. Grau joined Sectigo, a leading Certificate Authority and provider of purpose-built PKI management solutions, in May 2019 as part of the company’s acquisition of Icon Labs, where he was CTO and co-founder, as well as the architect of Icon Labs' award-winning Floodgate Firewall. He is a frequent industry speaker and blogger and holds multiple patents related to telecommunication and security. More info about cybersecurity and protecting the cloud can be found at https://www.sectigo.com.
    Related Searches
    • supply chain
    • detection
    • patient
    • hacking
    Related Knowledge Center
    • Software & IT
      Loading, Please Wait..

      Trending
      • Study: Catheter Ablation Significantly Lowers Dementia Risk In AFib Patients
      • Promising Study Results Released For Uncontrolled Hypertension Treatment
      • Abbott's Proclaim XR SCS OK'ed For Diabetic Neuropathy
      • BMP Medical Expands Sterling, Massachusetts Facility
      • FDA OKs Tidepool Loop App Connecting CGMs, Insulin Pumps
      Breaking News
      • MPO's Most-Read Stories This Week—Jan. 28
      • Alleviant Medical Closes $75M Financing Round
      • Know Labs Founder Ron Erickson Named CEO
      • Getinge's Recall of Cardiosave Hybrid and Rescue IABPs is Class I
      • FDA OKs Tidepool Loop App Connecting CGMs, Insulin Pumps
      View Breaking News >
      CURRENT ISSUE

      November 2022

      • MPO's 2022 Year in Review
      • Fine Print: A Discourse on Additive Manufacturing
      • Grab and Go: Examining the Thrombectomy Device Market
      • View More >

      Cookies help us to provide you with an excellent service. By using our website, you declare yourself in agreement with our use of cookies.
      You can obtain detailed information about the use of cookies on our website by clicking on "More information”.

      • About Us
      • Privacy Policy
      • Terms And Conditions
      • Contact Us

      follow us

      Subscribe
      Nutraceuticals World

      Latest Breaking News From Nutraceuticals World

      Nutrasource Rebrands Clinical Trial Site to Apex Trials
      Kerry Sponsors Upcycled Food Foundation Research Fellowship
      Probiotics Supplementation Reduces Complications in Colorectal Cancer Patients
      Coatings World

      Latest Breaking News From Coatings World

      Epoxytec Announces New Website Launch
      Paints and Coatings Market Worth $212B by 2026: MarketsandMarkets
      Axalta Releases Fourth Quarter and Full Year 2022 Results
      Medical Product Outsourcing

      Latest Breaking News From Medical Product Outsourcing

      MPO's Most-Read Stories This Week—Jan. 28
      Alleviant Medical Closes $75M Financing Round
      Know Labs Founder Ron Erickson Named CEO
      Contract Pharma

      Latest Breaking News From Contract Pharma

      SK bioscience Introduces New Global Partnership Model for Vaccines
      Merck's KEYTRUDA Wins Expanded Approval in Non-Small Cell Lung Cancer
      Bone Biologics Engages Avania for NB1 Clinical Trial
      Beauty Packaging

      Latest Breaking News From Beauty Packaging

      LVMH Reports Record 2022
      Haircare Brand Uncle Funky’s Daughter Announces Retail Expansion
      TRESemmé Introduces New Pro Infusion Collection
      Happi

      Latest Breaking News From Happi

      Alix Earle, Jonathan Monroe Are Fast-Growing Beauty Influencers on Instagram
      Fragrance Creators Launches First-of-its-Kind Data Insights Program
      The Lip Bar Enters the Skin Care Category with First-Ever Skincare Collection
      Ink World

      Latest Breaking News From Ink World

      Weekly Recap: Sustainability and Pigments, TSCA and Raw Materials Top This Week’s Stories
      Roland DGA Announces Major Expansion of TrueVIS Printer Family
      Neos Expands Production Capacity, European Market Presence
      Label & Narrow Web

      Latest Breaking News From Label & Narrow Web

      Channeled Resources launches blank labels with PET liner
      Infigo partners with Four Pees in Benelux region
      EFI appoints Frank Pennisi CEO, Fiery now an independent business
      Nonwovens Industry

      Latest Breaking News From Nonwovens Industry

      Essity’s Sales Grow
      Thinx to Pay up to $5 million to Settle Class Action Suit
      Typar Highlighting New Building Innovations
      Orthopedic Design & Technology

      Latest Breaking News From Orthopedic Design & Technology

      ODT's Most-Read Stories This Week—Jan. 28
      Roche, Sysnav Partner on Movement Tracking Tech for Neuromuscular Disorders
      Orthopedic Braces/Support, Casting/Splints Market to Top $12B by 2030
      Printed Electronics Now

      Latest Breaking News From Printed Electronics Now

      Weekly Recap: Avery Dennison, CES 2023 and Canatu’s LiDAR Deicing Top This Week’s Stories
      Celanese Launches Nine New Conductive Inks
      NREL Develops Thin, Lightweight Layer for Radiation Barrier for Perovskites in Space

      Copyright © 2023 Rodman Media. All rights reserved. Use of this constitutes acceptance of our privacy policy The material on this site may not be reproduced, distributed, transmitted, or otherwise used, except with the prior written permission of Rodman Media.

      AD BLOCKER DETECTED

      Our website is made possible by displaying online advertisements to our visitors.
      Please consider supporting us by disabling your ad blocker.


      FREE SUBSCRIPTION Already a subscriber? Login