Following the news that security researchers have found insulin pump are vulnerable to hacking, security experts from MWR Infosecurity and Veracode commented below.
Chris Day, Security Researcher at MWR Infosecurity:
“As is increasingly reported in the news, it is typical to see embedded, IOT and medical devices entering the market with security weaknesses. There can be many reasons for this, but these typically boil down to one critical point; there was not a corporately endorsed requirement to add security to the device.
“Although we would expect these devices to be secure, in many instances there is neither an explicit requirement from customers or regulatory bodies on security. In the medical domain current regulation has limited security obligations regarding implant security, though this is changing and improving. It is also true that embedded, IOT and medical devices are receiving increasing levels of attention from the whitehat security community, which will hopefully encourage improvements in the security of these devices.
“We may also think a company would be morally obliged to ensure robust security is built into such devices, especially medical devices directly associated with a person’s wellbeing. The reality is that there are also time to market and cost factors that compete with the inclusion of security within a device’s specification and development. Finally, compared to the commercial lifespan of a medical device, these devices have only relatively recently come under the security spotlight. It is an unfortunate fact that even the best intentioned and funded security program can take time to come to fruition by way of more secure products.
“In the specific instance of the device in the article, advisories from both the security researcher and vendor have been issued to mitigate the issue, albeit at the cost of device wireless functionality. More generally speaking embedded, IOT and medical equipment vendors should follow computer security practices by assuming their devices will be in a hostile environment and proactively considering the security of their products as part of a corporate endorsed security strategy and product development lifecycle. For example, is this administration or maintenance service required to be externally exposed and what can I do to ensure this service is only accessible by legitimate third parties.
“Medical equipment manufacturers should take note of the increasing interest from security researchers, and potentially malicious parties, in medical devices. Security strategies should be reviewed to ensure they can handle the full spectrum of security threats against their devices. Security plans for devices need to be continuous and consider the full lifespan of a device. This process should start with a devices development by taking inventory of the security risks against the technologies used within a device and then determining appropriate remedial actions to remove, lessen or manage the security risk. The management of security should continue to be re-evaluated against new threats as the medical device is deployed as well as planning for secure decommissioning of medical devices where required. In an age of readily available security knowledge, curious minds and cheap software defined radio, the adage of security through obscurity is rapidly breaking down as people are more able to investigate the embedded, IOT and medical devices around them.”
Laurie Mercer, Solution Architect at Veracode:
“While scary, it is unsurprising that yet another connected medical device has been found to have security flaws. Security professionals have long hypothesised about the massive threat that many new connected medical devices pose. This gravest case of which culminated last year when the FDA urged US healthcare facilities to stop using the Hospira’s Symbiq Infusion System in favour of an alternative infusion, after a vulnerability in the drugs pump remained unpatched for a year.
“No connected device is 100% secure and vulnerabilities will always be discovered. The security of all Internet of Things (IoT) devices must be looked at holistically so that product, and its web and mobile applications, and back-end cloud services, are all secured by default. Bolt-on security creates more opportunities for vulnerabilities to fall through the crack, so it’s essential that we see application security playing a more prominent role in the development cycle.
“As we see more of connected devices entering our healthcare system, we move from solely risking our sensitive information to opening patients up to potential physical harm. It’s essential that we see a greater focus on cybersecurity within the healthcare industry to ensure that any connected devices – whether that be a drugs pump, MRI device, or a data-capturing application – are built in a way that best protects patients and their data.”