Medical devices perform critical functions in surgery, hospital care, and clinical settings, and play an increasing role in home health care. Millions of people rely on medical devices to stay alive and depend upon them to improve the quality of their life.
Unquestionably, medical devices provide tremendous benefit to society, but few people think about the associated safety and security issues. Medical devices rely on network connectivity to provide remote reporting, diagnostics, and control opening them up to a new breed of attacks.
Medical Device Threats
There are many well documented, recent security vulnerabilities involving medical equipment. Perhaps the most startling was a report on June 13, 2013 from ICS-CERT (Industrial Control Systems Cyber Emergency Response Team) including a list of more than 300 devices from approximately 40 vendors using hard coded passwords. The issue was so severe it prompted an alert by the FDA and Department of Homeland Security containing security guidance for medical device manufacturers.
Security requirements for medical devices
There is no one one-size fits all security solution for medical devices. Engineers must take into consideration the cost of a security failure (economic, environmental, social, etc.), the risk of attack, and the cost of implementing a security solution.
Today’s modern medical devices are connected computers performing critical functions. Security must be built into the device ensuring it is not dependent on perimeter security as its sole layer of protection. To successfully protect against advanced cyber-threats, security features must be considered early in the design process.
David West is the Director of Engineering at Icon Labs, a leading provider of security software for IoT and embedded devices. Icon Labs was named a 2014 Gartner “Cool Vendor” and 2015 Gartner “Select Vendor”, and is focused on creating The Internet of Secure Things by providing a security from for even the smallest IoT devices. You can reach him at firstname.lastname@example.org.