Industry Focus
The State of Medical Device Security
Much has been said about the security risks connected medical devices pose, but what is the true situation? Lucy Ingham hears from Dan Lyon, principal consultant at Synopsys, about the challenges facing the field
From pacemakers being hacked live on stage at the world’s top security conferences to attention-grabbing headlines in newspapers, the public perception of medical device security is not good.
But according to Dan Lyon, principal consultant at Synopsys, the situation is far more nuanced.
“What the media sends out there is that vulnerabilities are everywhere, when for the most part you could say that mostly they're fine. But you just don't want to be one of the things that isn't, even if it's a small percentage,” he says.
Nevertheless, with an industry that is adding connectivity to long-established products, there are still issues.
“Most connected devices are immature in terms of they're succeeding at doing things where there are huge benefits for connectivity, but not necessarily understanding the attack surface they've created.”
Security’s place in the evolution of medical devices
With such an important focus, medical devices have an extremely high level of quality. However, most experts in the field have been involved in their development long before they offered connectivity, making security a new challenge that many are still working to embrace.
“It's very different from going into a financial institution where everyone is 25. And there's a whole new security culture that has to be adopted,” says Lyon.
“I don't want to say old dog, new tricks, but that's kind of the world that exists for medical devices. And so there's a lot of problems.”
“I don't want to say old dog, new tricks, but that's kind of the world that exists for medical devices.”
This has also been Lyon’s own experience.
“I used to be an embedded developer, so I lived in the introverted world of non-connectivity,” he explains. “And our concerns about security were almost non-existent, [but] quality was very, very high.”
Defensics: testing medical devices to destruction
Now connectivity is becoming the norm for the medical device industry, it’s up to companies like Synopsys to ensure security is effectively handled. However, with many devices it is not a matter of developing security for new products, but adding it to existing devices.
“We talk about threat modelling, attack surface, getting our security right from the beginning. But the reality is most people are working with legacy things, legacy applications, legacy devices, that they are moving into the connected world,” says Lyon.
“Some things are being designed from scratch, which is great, those are much better.”
“The reality is most people are working with legacy applications, legacy devices, that they are moving into the connected world.”
For new products, the ideal approach is to build security in from the start, but for legacy products it is a matter of testing devices to destruction to see where the vulnerabilities lie.
“We have something called defensics, which is designed to attack the fully assembled hardware or software device, and that's what we use a lot on medical devices that are already in deployment to try and see if we can essentially destroy them,” he says.
Defensics isn’t just used in medical devices, but across the spectrum of connected devices.
“Any IoT company, they'll bring us a product and say: 'OK, what can we do with that?' And it doesn't take long before we can break it. It seems it's a very confident demo, with defensics.”
Education: the key to future security
While there are issues, it is important to remember that medical devices are significantly more secure than the average consumer device. However, if the industry is to improve, says Lyon, more education is needed, and not just for developers.
“Developers, for the most part, are learning faster than the people who are managing them and the people who are paying the people who are managing them; people who are creating the incentives all the way down the chain,” says Lyon.
“And so there needs to be an education piece perhaps starting with developers so that it feeds up – so that when they become managers they already understand that quality in security is something we have to be taking seriously, and not just hoping some connectivity onto an existing scenario makes this happen.
“I think education is absolutely critical.”
PR nightmares: Ten of the worst corporate data breaches
LinkedIn, 2012
Hackers sold name and password info for more than 117 million accounts
Target, 2013
The personal and financial information of 110 million customers was exposed
JP Morgan, 2014
One JP Morgan Chase’s servers was compromised, resulting in fraud schemes yielding up to $100m
Home Depot, 2014
Hackers stole email and credit card data from more than 50 million customers
Sony, 2014
Emails and sensitive documents were leaked, thought to be by North Korea im retaliation for Sony’s production of a film mocking the country’s leader Kim Jong Un
Hilton Hotels, 2015
Dozens of Hilton and Starwood hotels had their payment systems compromised and hackers managed to steal customer credit card data
TalkTalk, 2015
The personal data of 156,959 customers, including names, addresses, dates of birth and phone numbers, were stolen
Tesco, 2016
Hackers made off with around $3.2m from more than 9,000 Tesco Bank accounts
Swift, 2016
Weaknesses in the Swift payment system resulted in $81m being stolen from the Bangladesh Central Bank’s account at the New York Federal Reserve
Chipotle, 2017
Phishing was used to steal the credit card information of millions of Chipotle customers, thought to be part of a wider restaurant customer scam orchestrated by an Eastern European criminal gang
LinkedIn, 2012
Hackers sold name and password info for more than 117 million accounts
Target, 2013
The personal and financial information of 110 million customers was exposed
JP Morgan, 2014
One JP Morgan Chase’s servers was compromised, resulting in fraud schemes yielding up to $100m
Home Depot, 2014
Hackers stole email and credit card data from more than 50 million customers
Sony, 2014
Emails and sensitive documents were leaked, thought to be by North Korea im retaliation for Sony’s production of a film mocking the country’s leader Kim Jong Un
Hilton Hotels, 2015
Dozens of Hilton and Starwood hotels had their payment systems compromised and hackers managed to steal customer credit card data
TalkTalk, 2015
The personal data of 156,959 customers, including names, addresses, dates of birth and phone numbers, were stolen
Tesco, 2016
Hackers made off with around $3.2m from more than 9,000 Tesco Bank accounts
Swift, 2016
Weaknesses in the Swift payment system resulted in $81m being stolen from the Bangladesh Central Bank’s account at the New York Federal Reserve
Chipotle, 2017
Phishing was used to steal the credit card information of millions of Chipotle customers, thought to be part of a wider restaurant customer scam orchestrated by an Eastern European criminal gang
Share
Share this article
