As many as 1,000 patients suffered harm from medical devices hit by a cyber attack, according to a new survey conducted by researchers at the University of California San Diego. The results were announced at the HIMSS Healthcare Security Forum earlier this week. Garrett Sipple, Managing Consultant at Synopsys’ Software Integrity Group commented below.
Garrett Sipple, Managing Consultant at Synopsys’ Software Integrity Group:
“This is another example of recognising the importance of security as it plays a role in maintaining the safety and effectiveness of medical devices. Medical devices often move through long product development cycles that can make them slow to react to new cybersecurity threats, especially if cybersecurity wasn’t even a key consideration in the development process.
Cyber-attacks aren’t the only side effect to consider when it comes to medical device security. In a survey Synopsys ran with Ponemon last spring, it was found that in 38% of cases where a medical device had been breached, inappropriate health care had been delivered to the patient – and that could be lethal.
One of the prevalent themes in this document is the critical role that systems must play in the healthcare sector, because there is shared responsibility among regulators, manufacturers, healthcare providers, and patients. While software security has been discussed for many years, fewer people are talking about systems security and integrating security into systems engineering. The healthcare industry must solve this problem at the system-of-systems level, as well as for individual products like MRI machines and patient monitors.
Well known technical activities such as static code analysis are important, but so are non-technical elements like risk management processes and program-level prioritisation of resources based on identified risk.
Many of the recommendations are already understood and documented. One specific example is the recommendation that stronger mechanisms are needed, but there is no silver bullet. That concept is fully embodied in the BSIMM framework. BSIMM identifies a superset of 113 security activities that have been used to build security into systems. Leveraging this superset to identify new activities is one step organisations can take. The key message from this is that evaluating security at every layer in a product or system lifecycle – systems, software, firmware, hardware – is the only way to fundamentally build security into a product.”