Software security for medical devices - are you doing it right?
In this article, DCAs Software Skill Leader John Whitehouse explains how cyber-security should be included as part of a multi-disciplinary approach to risk management during medical device development.
We are all aware of the increasing criticality of digital information within our lives. Most of us now communicate and bank routinely online. In the wake of the Covid-19 crisis, many of us also work, shop and socialise largely in the digital space too. This inexorable trend is revolutionising the way we live and is impacting the medical industry as both healthcare providers and device companies embrace digital technology as means to improve patient outcomes, whilst streamlining service efficiency.
Of course we have lived with electronically programmable medical devices for decades, but what is now different is the widespread integration of these medical devices with patient’s own electronic products and systems via cell phones and home networks. This integration significantly increases the vulnerability of personal medical data to cyber-snooping and raises the very serious prospect that malicious attacks could be made that disrupt safe and effective operation of devices that are critical to the health and well-being of vulnerable patients.
In 2017, the WannaCry ransomware attack affected hundreds of thousands of computers around the world. Whilst this attack was not specifically targeted at medical systems, it exposed the vulnerability of large inter-connected healthcare providers such as the UK’s National Health Service (NHS). The attack resulted in the cancellation of thousands of appointments and operations within the NHS and it was reported that some staff had to revert to pen and paper and the use of private cell phones, as centralised IT systems became completely disrupted. Perhaps even more alarmingly, reports by cyber-security researchers have demonstrated the potential vulnerability of safety-critical devices such as wireless connected insulin pumps and pacemakers to hacking1, raising the genuinely sinister prospect of targeted, remote lethal attacks on individuals.
Whether inadvertently or deliberately, it is clear that cyber-attacks have the potential to inflict serious harm on patients. In response, regulators now expect that cybersecurity vulnerabilities are adequately identified and addressed by developers and manufacturers of all electronically programmable medical devices.
What are you trying to protect?
When determining how to protect the cybersecurity of a medical device, the first step is to understand the data assets that the device manages. Data records, especially sensitive patient data, need protection from snooping and manipulation for both privacy and safety reasons. Additionally, the software running on the device may be a key intellectual property asset that needs to be protected from theft or tampering.
Secondly, one needs to consider the environment in which the device will be used. For example, will it be connected directly to the Internet? Does sensitive data need to be transferred to, as well as from the device? Does the device need to be operating at all times? Will it be used in public or private spaces? The answers to these questions will help to inform decisions on the most appropriate type of communications technology for the device, which in turn enables the developer to explore potential system risks and vulnerabilities.
Once the product and system architecture is defined, threat modelling should be applied to identify potential vulnerabilities for the data needs to be protected. By examining the potential for attacks in the form of spoofing, tampering, data repudiation, information leaks, unauthorised use and denial of service, the potential impacts on device behaviour can be explored. This process should be followed to generate a comprehensive list of risks that need consideration and mitigation in the development of the detailed design for the device.
When developing electronically programmable medical devices at DCA, we also perform detailed research into known issues and published vulnerabilities for the hardware and software used in a medical device, to support further risk identification. This includes examining supporting software documentation, assessing published information in open-source databases, such as the Common Vulnerabilities and Exposures database (CVE), as well as considering guidance on the secure use of data protocols by authorities like NIST.
Through these activities, design decisions are guided that assist in developing a cybersecurity bill-of-materials (CBOM) for the device, which identifies potential cybersecurity risks alongside all other product functional and regulatory requirements.
Security as part of multi-disciplinary risk management
After identifying potential cybersecurity risks, our approach is to manage and review the identified vulnerabilities as part of our overall risk management process for the device. This approach helps to ensure that all aspects of device performance are considered and appropriately balanced. It is important to remember that a secure device is not necessarily a safe one, refer to Figure 1, taken from the AAMI technical report on the principles of medical device security2. It is feasible that the application of a security-focused risk control measure in isolation from system-level risk management could compromise patient safety. For example, the use of a sophisticated, processor-intensive encryption algorithm could compromise timing of safety-critical device functions. Additionally, usability can be compromised by over-emphasis on-device security. For example, extensive security protections may make a device too complicated to set-up or use for some patients.
Figure 1 - The relationship between security and safety risks
At DCA, our multi-disciplinary approach throughout the development process helps to identify potential problems, untangle conflicts and achieve optimised design solutions. This approach couples an effective development process with informed decision-making and risk management to deliver safe, usable and cyber-secure medical devices.
1 Black Hat Hacker can remotely attack insulin pumps and kill people, Chenda Ngak, CBS News, 29th August 2011
2 2016 Principles of medical device security – risk management