Even though medical device manufacturers are heavily investing in the development of new medical device technologies, they often lack the security expertise and the technical resources to ensure that high levels of security are built into these solutions.
FREMONT, CA: Before diving into the problem of how to secure connected medical devices, it is essential to consider the origin of security vulnerabilities. Most embedded devices' vulnerability can be divided into vulnerabilities, deployment or use vulnerabilities, and design vulnerabilities.
Implementation of vulnerabilities occurs when coding errors result in a weakness that can be exploited during a cyberattack. The infamous, and seemingly immortal, buffer overflow attacks are the classic example of implementation vulnerabilities. Other examples include improperly seeding random number generators, which can result in the generation of security keys that are easy to guess. Adherence to software development procedures like the OWASP Secure Software Development Lifecycle or Microsoft's Security Development Lifecycle and thorough testing processes help to address implementation vulnerabilities.
Deployment or the use of vulnerabilities relate to issues that are introduced by the user during operation or the installation of the device. These include issues such as not changing default passwords, using weak passwords, and not enabling the security features.
In contrast, design vulnerabilities are weaknesses that result from a failure to include proper security measures when developing the device. Examples of design vulnerabilities that have resulted in security breaches include the use of hard-coded passwords, control interfaces with no user authentication, and communication protocols that send passwords and other sensitive information. Other less glaring examples include devices without a secure boot or that allow unauthenticated, remote firmware updates.
Medical devices comprise a wildly diverse range of device types—from small to large and simple to complex. These are embedded devices, which differ significantly from standard PCs or other consumer devices. They are fixed-function devices specifically designed to perform a specialized task. Many of them use a specialized operating system such as VxWorks, FreeRTOS or INTEGRITY, or a stripped-down version of Linux. Installing new software on the system in the field either requires a specialized upgrade processor is not supported. In most cases, these devices are optimized to minimize processing cycles and memory usage and do not have the extra processing resources required to support traditional security mechanisms.