Medical Device Security: What is Needed, and Where?

Security is continuing to be an area of concern for companies interested in implementing Industrial Internet technologies. Along with improvements in efficiency and productivity, connectivity and data sharing bring the obvious need to secure data so that only those with proper authorization can access it.

During “Securing the Internet of Things,” a panel discussion held last week at the LiveWorx 2015 conference in Boston, talk focused on an industry where security is of particular interest: medical devices.

SIblog LiveWorxPaul Roberts, Editor in Chief of The Security Ledger, who moderated the panel, pointed out that he noticed the need for increased data security because of the real shift from hardware and mobile devices to embedded SCADA devices. This meant that information security was shifting from being patch focused to a totally different environment with hundreds of types of devices. And these devices no longer ran only on Windows, but on many different embedded operating systems.

Roberts led off the discussion by referencing a recent article in The Security Ledger that described an infusion pump that “utterly lacked security controls.” The pump contained “serious security holes that could give an attacker control over the devices,” Roberts explains in the article. 

Greg Dameron, Director of Software Engineering at Medtronic Surgical Technologies agreed that many medical devices made back before security was a consideration are still in use. New medical devices, he explained, are designed to make sure that risk is carefully managed, and third-party devices are also being secured. Dameron said that medical device design must walk a fine line to make sure that a product is secure while still being usable for the clinical purposes for which is was intended.

What it comes down to when deciding the security that is needed, pointed out Alan Tait, CTO at Stream Technologies, is determining “can this data actually do damage.”

Security on an operational level must be planned through carefully, agreed Rob Black, Senior Director of Product Management at ThingWorx. And it must be thought through for the entire lifecycle of a system, including the devices’ retirement.

Andreas Laumann, Head of Software Development at exceet Secure Solutions, clarified that security should be part of the entire process. Data must be communicated in a secure manner, and also the data itself must be secured in storage.

Even devices not originally meant to be connected must be designed to have security, pointed out Rob Black, because down the line, someone else might make that device connected. 

Though security should, of course, be an important element in the design of any medical device, in reality, there are not a lot of people maliciously trying to hack medical devices, concluded Dameron. What testers are trying to do is to see if hacking is possible so that they can point out where security needs to be bolstered before there is a problem.