why a medical device is now the biggest risk in your clinical trial

Of all of the connections brought about by the Internet of Things, nothing is more frightening than the notion of an unsecured medical device. The magnitude of risk associated with medical devices and the Internet of Things is a gripping proposition with 67% of medical device makers expecting an attack on their devices while only 17% taking measures to prevent an attack, according to Ponemon. These numbers are staggering when you consider U.S. hospitals have an average of 10 to 15 connected devices per bed with some hospitals registering 5,000 beds — totaling 50,000 connected devices per hospital.  Hackers and Hospitals – medium.com

The Israel startup nation has over 700 startups working in the field of medical technology innovation (See http://www.iati.co.il/sector/1/life-science-companies) – about 450 medical device companies, 150 in software, 30 in drug discovery and another 60 in biotech.

Where the US life science industry is dominated by big pharma and enterprise IT, Israel life science industry is dominated by medtech and innovative cyber technology.  Increasingly the trend is for medical devices (hardware and software as a device) to be connected; either connected directly to the Internet via WiFi in a patient’s home , as medical mobile app or as a mobile app communicating with a hardware medical device and serving as a mediation layer to transmit data to the cloud. Israeli customers of ours – companies like MyDario (diabetes), Beyond Verbal (technology that extracts  emotions from your voice – used for detection and monitoring of CHF among others) and Bioview (automated cell diagnostic platform for use in cytogenetic, pathology, and cytological analysis).

Why your medtech device is less secure than you thought

When you run a medical device clinical trial at home, there are a minimum of 14 attack vectors as you can see in the below schematic.

Why traditional IT security does not work

Traditional information security and compliance focuses on access control with a tacit assumption that someone is in charge of access control management. This is certainly true for the cloud IT operations of the medtech developer when we look at the above picture.

DevOps teams are in charge of access control and business continuity and high performance operations and using access control to mitigate trusted insider vulnerabilities from in-house and contract developers and operations staff.

Patients at home are attacking your medtech product

However, patients using a mobile app or a Wifi-connected device in their home network are create vulnerabilities to the system assets. The medtech vendor has no control over the home network and the popular security awareness programs in the workplace are meaningless at home where users can and will do anything to introduce malware into their devices and home network.

Find your weakest link

There is a lot of security research on operating systems and operating system kernels but this may not be enough. Security on modern operating systems (Windows, OS/X, iOS, Android, Linux) is getting better all the time – but  Android using SELinux and MAC (mandatory access control) doesn’t make for catchy, social-media-sticky news items.

A client once told me that people never remember your successes, only your failures. He also believed that software developers are incapable of telling the truth.

The corollary to this notion of failure-skew in the business (and security) world is media reporting. Consider media emphasis on reporting violent and/or negative events. It’s not a hot news item to say that 39% of Israeli Arabs are proud to be Israeli nor is it newsworthy to report that 29% are very proud. The world (Middle East included) is actually a much better place then it seems when not viewed through the lens of social media news reporting and re-purposing (I’m not sure what the correct term for the Huffington Post is so I’ll just use the word repurpose).

FB and Twitter create discussion threads, not examination-of-empirical data threads. Discussion is easier, more fun and cheaper than collecting data and examining it’s quality.

In addition, radical voices are far more interesting than statistics. Who cares that according to World Bank statistics, in 1990 there were 1.91 billion people who lived on less than $1.25 a day an in 2011 it was just one billion. Radical voices (amusingly adopted by the US President) will continue to blame poverty on the rise in Islamic and Iranian terror even though it emanates from the wealthiest countries in the world.

Now what does this have to do with medtech security you ask?

Everything.

Our clients read social media.  They read about zero-days and they get all nervous about your product.

Yet another serious Android security issue was publicized this week, with the latest exploit rendering devices “lifeless,” and said to affect more than half of units currently on the market.  Latest Android security exploit could leave more than half of current devices ‘dead’ & unusable

Now let’s check out that URL – its from and Apple Insider. That is correct – your competitors will be gunning for you, exploiting your vulnerabilities faster than the bad guys.

Security on modern operating systems (Windows, OS/X, iOS, Android, Linux) is getting better all the time – but  Android using SELinux and MAC (mandatory access control) doesn’t make for catchy, social-media-sticky news items and secure operating systems (in the meantime) cannot protect your medtech product from software bugs and users who download malware.

What you can do on a budget

Do not wring your hands.  Do a security assessment on your systems and prioritize 1 thing, find that one weakest link in your system and harden it up.

What risks really count for your medical device?

No question is more important for implementing an effective program of security countermeasures for your product. The management board, IT and security practioners cannot expect to mitigate risk effectively without knowing the sources and cost of threats to the business.

A modern medtech business depends on its cloud operations and app software in order to generate revenue.  The prevailing security model predicates defense in depth of these systems.  The most common strategies are to mitigate risk with network and application security products that are reactive countermeasures; blocking network ports and services, detecting known application exploits, or by blocking entry of malicious code to the network.

Are any of these security countermeasures likely to be effective in the long-term for connected medical devices? Can attacks on a patient be neutralized with defensive means only? In other words, is there a “black-box” security solution for the business?  The answer is clearly no.

A reactive network defense tool such as a firewall cannot protect exploitation of software defects in an embedded medical device and an application firewall is not a good replacement for in-depth understanding of company-specific source code or system configuration vulnerabilities.

This means that your IT software or engineering provider will not have neither the right approach nor the right solution for your embedded medical devices.

Medtech Threat Modeling

Medtech threat modeling is a continuous threat assessment process for developers that employs a systematic risk analysis of integrated hardware, software and cloud systems along with quantitative evaluation of how well removing software defects reduces risk.

Medical device Threat Modeling  is based on four basic tenets, that are discussed at greater length in this series of articles.   The four tenets are

1.Security assessment of complex software systems
2. Quantitative evaluation and financial justification for security countermeasures
3. Explicit communications between developers and security
4. Sustain continuous risk reduction

The risk analysis process will focus your investment on prioritized, cost-effective security countermeasure such as removing unnecessary services from your embedded device.

Don’t leave without saying goodbye.