Medical devices have entered the zeitgeist as a new important security target -- kind of like the Internet of Things, only running your heart instead of cooling off your beer or washing your dishes.
Noted wireless security researcher Kevin Fu recently convened an Information Security and Privacy Advisory Board (ISPAB) panel titled "Updates on Embedded Device Cybersecurity: Medical Devices to Automobiles" in Washington, D.C. Participating in the panel, which included representatives from the FDA and NIST, made me consider a couple of important but misunderstood points about medical device security.
Let's talk about those two points in turn.
Medical devices have serious risks beyond data protection failures
Though HIPAA certainly seems to have made the healthcare community stand up and take notice of information security, it may have had an unintended side effect. You see, HIPAA is all about keeping private medical records private. You remember that form with the tiny print that you signed about your rights under HIPAA (probably without reading it) during your last medical exam? That form talks about your medical records, for the most part.
Sure, we need to keep medical records private, and the record security problem is important, but data protection is only one aspect of security in the healthcare domain. When it comes to medical devices, patient data protection turns out to be a pretty minor concern, and here's why: Medical devices are used in many (but not all) cases to preserve a patient's life. A pacemaker keeps a patient's heart beating with regular rhythm. An insulin pump delivers insulin to a patient's bloodstream according to blood sugar levels that it ascertains. Even a simple monitoring machine in the ICU is critical to preserving life, as it needs to report life support anomalies as quickly as possible so that doctors and nurses can get involved. When it comes to these kinds of medical devices, the biggest risk is a patient safety risk -- and the downside is death.
Wenyuan Xu, associate professor of engineering and computer science at the University of South Carolina, has written extensively about embedded device security. Her work spans many kinds of embedded processors, from those built into cars to those that control electricity consumption. Some of Xu's work (discussed at the University of Michigan's Archimedes workshop) involves looking at processors embedded in medical devices. Suffice it to say that Xu has uncovered serious risks in real medical devices -- risks that warrant repair. (You can listen to me discuss medical device security and other security issues with Xu on episode 86 of the Silver Bullet Security Podcast.)
Unfortunately, in the grand scheme of healthcare security, too much focus on medical record privacy leaves little attention for medical device security. This became clear to me during the ISPAB panel discussion when early portions of the discussion focused around medical information protection and generally ignored medical device safety. In fact, when medical device security first came up, the questions and concerns seemed to orbit around patient data!
Put bluntly, who cares whether your medical records are kept private if you're dead? Obviously, medical device security deserves more attention than it is getting.
One very simple answer to this point is to make sure that regulators and healthcare professionals are aware of and pay attention to patient safety concerns brought about when medical devices are insecure. (For a slightly more technical treatment of medical device security risks, see "McGraw on assessing medical devices: Security in a new domain," co-authored with Chandu Ketkar.)
Hospitals have no CSO and too little security kung fu
There is another point that came up during the ISPAB panel that relates directly to medical device security. It boils down to some simple questions. Who is in charge of information security at most hospitals? And what kinds of expertise do these people generally have?
Unfortunately, computer security in many hospitals and similar providers reminds me of the very early days of computer security when security was the domain of system administrators and network security types. I like to think of these kinds of security professionals as plumbers who make sure that infrastructure is properly designed and operates smoothly. Generally speaking, though they are certainly important, plumbers are not very strategic thinkers, and neither are system administrators.
More than a decade ago we experienced a very similar strategic leadership vacuum in the financial services domain. Many of the very first financial services CISOs came up through the IT ranks and were more familiar with technical operations than with business operations. By contrast, modern financial services CISOs are different. They have both technical chops and the business acumen to manage risk appropriately. The evolution of the CISO role in financial services took about a decade.
Apparently, most hospitals have no equivalent of a modern CISO. Because of that, nobody is paying much attention to medical device security. A system administrator who understands how to build, maintain and secure a local area network of computers (for things like hospital administration, patient record storage and billing) may not have the right kind of technical chops to think through patient risk situations caused by medical device insecurity. So the problem remains under-recognized and the risks unmitigated.
Until hospital CISOs demand secure medical devices (by requiring some evidence that the devices were designed and implemented properly from a security perspective), the general public may not get them.
Under the pressure of Sarbanes-Oxley and other financial regulations, CISOs in financial services grew up quickly (actually, in most cases the early CISOs were simply swapped out). The same sort of thing needs to happen to the CISO role in hospitals so that attention turns from patient record protection and network security to patient safety concerns and building security in.
Kevin Fu, Archimedes and open process
Now that we've covered what I think were the two most salient points in the ISPAB/FDA meeting, I invite you to listen to the (recorded) proceedings and make up your mind for yourself.
Kevin Fu, an associate professor at the University of Michigan, is deeply involved in medical device security issues, happily for us. Kevin runs the Archimedes project, which focuses attention on medical device security through a series of workshops. Cigital reported its technical security findings related to real medical devices at the last Archimedes workshop (and wrote about them here). As the chair of the ISPAB panel, Kevin recorded the proceedings and posted the resulting audio. I commend this kind of openness and fully support it. You should too.
Learn more about assessing medical device security.