Medical Devices MUST Be Secure

OEMs and embedded developers who design and build medical devices have an ever-changing challenge on their hands. Security threats grow and multiply, which means the approach to embedded security design must take into account known and unforeseen threats, and meet highly stringent compliance requirements. But what are those threats, and at what point in the design, build, manufacturing, deployment and end use is security a concern?

Please take a moment to complete the form below and gain instant access to this recorded webinar.
 cover page

Recorded Webinar

Sep 24, 2021 | Length: 01:00:18

OEMs and embedded developers who design and build medical devices have an ever-changing challenge on their hands. Security threats grow and multiply, which means the approach to embedded security design must take into account known and unforeseen threats, and meet highly stringent compliance requirements. But what are those threats, and at what point in the design, build, manufacturing, deployment and end use is security a concern?

Watch the portion of a panel presentation on medical device security featuring an expert from Digi International who addresses those questions, and provides critical insights on how to ensure your designs are built to withstand attacks at every phase of the pipeline – not just in the final application. You’ll learn how the highly secure, robust Digi ConnectCore® SOM platform supports your goals for security and compliance in medical devices.

Follow-up Webinar Q&A

Thank you again for attending our session on Medical Device Security. Here are the questions that followed the presentation and their answers. If you have additional questions, be sure to reach out.

Can we provide software security updates to devices at hospitals without violating our FDA device certification?

The FDA states that MDMs (Medical Device Manufacturers) can always update a medical device to strengthen cybersecurity, and the FDA typically doesn’t need to review the update. You should provide instructions to the team responsible for updating your device, implement a secure update procedure with public/private key structure, and build in fail safe code so the device is not in operation when you update.

Won’t a password and a hospital firewall protect my device from hacking?

Yes, in one way, but I think Robert made a great point that there's just a wide range of things that need to be implemented. A password can prevent somebody getting to it, but they can buy one of your devices and start working on it outside of a hospital environment, or steal it, or whatever. So you can't count on your users and put the onus on them to say, "You have to keep our product secure." You have to build security into your devices. I think Robert did a great job talking about the procedure for updating products and maintaining security in the environment where the product is deployed.

Does the FDA test for cybersecurity?

That's a great question, Rich. And the fact is that the FDA does not do specific testing for any kind of malware infection or cybersecurity. They're issuing constantly evolving recommendations, but there's no specific testing, and they state explicitly that it's the responsibility of the medical device manufacturer.

Given some differing philosophies on security, whether it’s hardware or software based, which solution is truly the best?

I would say that, for truly best-in-class security, you actually need a combination of both hardware and software. Hardware brings some of the things that we've discussed, such as anti-tamper capabilities into the mix. Software starts to give you logical source of attacks. So, if you think of the anti-tampering as a physical countermeasure, when you combine both hardware and software together, you get the best of both when it comes to logical and physical attack vectors, as far as what you can protect against. The other thing to consider, though, of course, is the nature of the information you're trying to protect. So, you may need different functionalities from a hardware or a software perspective, depending on what protection profiles you're targeting with your device.

Robert: Yeah. And I'll just step in. I mean, just to extend that, that's why I spent time on my part of the presentation talking about taking advantage of the hardware. There are many things that the hardware is capable of doing or capable of helping with the software, but the software needs to be there to take advantage of all of that, you know. And it's only with the two working in concert that the device can actually become more secure.

If what you are saying is that everyone should use some levels of hardware and software security but every application is different, how do I know what security is right for me?

In cases where you're not sure where to start, or what level of security is necessary for your application, we get this question often of, you know, "I'm not a security expert. How do I get started?" The easiest thing to do, of course, is to find the standard that's most applicable for what your device class is, and use that as a starting point. And ultimately, if you're not sure even what standard to start with, NIST is always a good place to start, for example, National Institute of Standards and Technology. They have a cybersecurity framework that they've actually published, and that can be used as a guide for novices as well as veterans alike in the security arena. So, that would be one place that I would definitely recommend to at least start taking a look at if you're not familiar with security, or if you're new to security.

And then, some of these other standards that have been discussed throughout the webinar as well. So, for example, Bob had mentioned FIPS. It's another NIST standard, if you will, that we see a lot of people targeting or looking to design towards. The other thing that you can do is you can also consult with partners who are experts in security, such as the people that are on the call today, myself, Robert, and Bob. Or, if you have your own in-house expertise, of course, utilize that as well.

What is specific to the medical market when it comes to security vs. the general market?

Well, I can do the one-word answer for that, which is nothing. You know, the techniques that I think all three of us talked about today aren't really specific to the medical market at all. They are more general things to think about if you're doing autonomous drive, right? The security requirements and techniques are essentially the same.

The difference really is in emphasis, you know. If I'm doing a consumer device, and my consumer device gets compromised, and personal data gets transmitted to the bad guys, or a web application, or whatever, that's embarrassing, and it's costly. But the laws are entirely different.

The scrutiny done by regulators is entirely different. Most other industries look at security as basically what happens when the barn door gets open and the horses have all escaped. Whereas the medical regulators are really trying to make sure that you lock the barn door before the horses escape. And that's where all of that emphasis is. It's not just you, and then how do you deal with it after it happens. It is the regulators saying, "Hey, how are you going to prevent this from happening?" And so, even though it would be right to consider all of these things up front for any kind of device, the medical industry requires it.

Patrick: Robert, one more thing that I would add to that as well. I often get the comparison, people saying security is a little bit like insurance. And it is. But when you talk about the medical industry, in particular, I would say, yes, it's like insurance, and the liability is a lot higher as well in medical applications.

How do the things we've discussed help with the kinds of medical attacks that show up in the news (hospital networks being compromised, ransomware, etc.)?

Well, like I said in my presentation, nothing's perfect. But the kinds of steps that we've all talked about in our individual presentations really do help. If it is difficult or impossible for a hacker to get a device so that they can probe it and figure out its weaknesses, or the device becomes somehow invalidated when that happens, then it makes it a lot more difficult for them to figure out how to attack the device.

If your software is developed using preventative techniques, and is using high-quality security best practices, then even if they get access to the device, it will be much more difficult for them to inject, say, malware into the device, which is where the ransomware and other attacks on the hospital network come from. And so, at least you can protect the device to the greatest extent possible, and then you hope that the other providers of the hospital network are doing the same, and therefore, the hospital network will at least be more secure.

Rich: And I know you said it makes it more difficult, but not impossible.

Robert: Yeah, it goes all the way back to, you know, the armed guards and the concrete-encased device.

What are the security issues of using open source hardware, like BeagleBone and Raspberry Pi, in medical device products? Bob, do you want to try that one?

Sure. We get that from our customers, too. And the challenge is the trade-off in time. I mean, the things that Siemens has implemented, and Digi has implemented, and Infineon had implemented and/or will make available to our customers, can all be done using open source software. But it's a huge amount of work, and time, and essentially you're on your own, collecting your own tools, your own pieces, and integrating them on top of the open source hardware. And you have to get it right! So, it's a lot of time, and then you have the issue of certification, going through the different global certifications and showing what you've done, when, again, you just won't have any support from your vendors for that. So, I guess the shorter answer is, yes, it's possible, but really, extremely difficult.

How you detect malware infection?

It is important to design detection features into a connected device. This can include logging attack attempts and examining the logs for unexpected activity on a device. It is also possible to detect network activity to unexpected IP addresses or activity by a device. If a device fails or begins to malfunction, you should remove it from the network and test for malware or code that does not belong on the device. There are companies and labs that can test devices for the presence of malware.

Watch our video on embedded design
Learn how to tackle embedded design challenges the right way

Related Content

Adding Voice Control to Your Next Medical Device Adding Voice Control to Your Next Medical Device Voice control offers unique advantages for medical devices – operating convenience, improved hygiene over touchscreens or... RECORDED WEBINAR Webinar Adding Voice Control to Your Next Medical Device Tuesday, July 12, 2022
10:00-11:00 a.m. Central Time
UPCOMING WEBINAR
Power Management Techniques in Embedded Systems Power Management Techniques in Embedded Systems Utilizing key power management techniques in your embedded system designs can have enormous benefits, from battery life... READ BLOG DeGIV DeGIV Health Terminals Meet Patient Privacy and GDPR Requirements for Healthcare Data To help control sensitive healthcare information, DeGIV created a privacy-platform with a specialized access-point, called “The... READ STORY Accelerate your development with Digi ConnectCore embedded SOM solutions (German language) Accelerate your development with Digi ConnectCore embedded SOM solutions (German language) Getting to market with IoT applications requires embedded systems designed for rapid development, flexibility and scale, along... RECORDED WEBINAR Digi ConnectCore 8 Family Digi ConnectCore 8 Family Module Choices, Compatibility and Easy Scalability VIEW PDF No Matter How Good Your Design Is, If It's Not Secure, You Could Be At Risk No Matter How Good Your Design Is, If It's Not Secure, You Could Be At Risk Embedded Designs: Building in Security from Day 1

The challenges developers face in building secure product...
RECORDED WEBINAR
Digi ConnectCore SOM Solutions Digi ConnectCore SOM Solutions Embedded system-on-modules based exclusively on NXP i.MX applications processors - designed for longevity and scalability, in industrial IoT applications VIEW PDF Who Is Responsible for IoT Device Security? Who Is Responsible for IoT Device Security? Many people believe that security can be fully implemented by the device manufacturer, or that it’s possible to install a... READ BLOG Digi ConnectCore 8M Nano: Developer Resources, Security, Scalability Digi ConnectCore 8M Nano: Developer Resources, Security, Scalability Digi International recently announced availability of the Digi ConnectCore 8M Nano Development Kit. The Digi ConnectCore® 8M... READ BLOG IoT in Healthcare: Applications and Use Cases IoT in Healthcare: Applications and Use Cases IoT in healthcare is a fast-growth area for a range of reasons, including the ability for connected devices to gather data... READ BLOG Reliable Connected Health Reliable Connected Health Industry-leading Digi solutions are purpose-built for today’s connected medical devices. VIEW PDF