Medical device security
The FDA recall of a medical device last week has caused a bit of a media storm as the general public scrambles to find out more. The fact that a medical device meant to help sustain life is insecure and could be hacked to kill a patient is alarming to all of us. More worrying is that the medical device subject to the recall, a cardiac rhythm management product, or “pacemaker” to the rest of us, is probably not an anomaly. Many other medical devices more than likely also lack adequate security.
To understand the risks, we first need to understand the problem. To be honest, this could require an extensive series of blog posts over weeks to fully examine and explain this properly, but here’s the 50,000-foot version.
First, there are the implantable medical devices (IMDs) like the medical pacemaker at the center of this story. This group of medical devices includes the implanted insulin pump that security researcher Barnaby Jack demonstrated live on stage at the Miami Hacker Halted Conferenc in 2011, hacking the device to deliver a lethal drug dose. It also includes a pacemaker that was hacked, again by Jack, at the Melbourne BreakPoint Security Conferenc in 2012 to deliver a lethal 830 volt electric shock to a patient.
Second are the much wider range of network-attached medical device used in healthcare delivery. These include:
- Diagnostic imaging systems: ultrasound, MRI, PET, CT scanners, and X ray machines
- Treatment equipment: infusion pump, medical lasers, and surgical machinery
- Life support: ventilators, anesthetic and dialysis machines
- Medical monitors for oxygen saturation, blood pressure, ECG and EEG, and many, many more.
How to reduce risk and protect devices
By far the most effective approach is microsegmentation, where medical devices are locked down and secured by the network they are attached to. (Attempting to manage 350,000 individual medical devices in a hospital is impossible.)
Modern network infrastructure supports security technologies like Cisco TrustSec©, where each network port acts as a virtual firewall. Using security group tags, network traffic is controlled so that only specifically authorized users—biomedical equipment technicians (or BMETs, as they are known)—have access to reprogram devices, and these systems are only able to communicate with designated internal IP addresses using predetermined ports and protocols. The network will drop everything else, like malware traffic and any connection attempts from unauthorized users. Many of the more advanced healthcare providers have already adopted such an approach, and by employing compensating security controls like TrustSec have been able to secure their networked medical devices from attack.