Medical device security has quickly become one of the leading issues in our field, and we can thank researchers like Kevin Fu, Jay Radcliffe and the late and great Barnaby Jack for bringing it to the forefront of trending infosec topics.
I recently had a chance to catch up with my old friend Danny Lieberman (@security_expert), a software security analyst based in Israel who specializes in security and compliance for medical devices.
Besides his other interests – playing tenor saxophone in a local big band and road biking – Lieberman is a prolific blogger with strong opinions on software and security in general, and medical device security specifically.
Here’s our recent Q&A session…
AMF: Danny – how did you end up in medical device security? A lot of people remember you as one of the pioneers in data loss prevention working with Fidelis Security Systems, which was acquired earlier this year by General Dynamics.
Lieberman: Well Anthony, it’s sort of like the guy on CBS who asked Groucho Marx how he got to Hollywood. Groucho said it was easy: “I just took the San Diego Freeway going west and got off at Fairfax…” (CBS Television City is located in the Fairfax area on Beverly Drive in LA).
But seriously, in the summer of 2008, I was doing DLP projects, busting my chops with telecoms clients in Poland, when I got a call from my friend Mike Zeevi, who is a software quality assurance consultant for medical device companies.
Mike called me in to help develop a randomization application for a big clinical trial for one of his clients, an Israeli medical device company called Brainsway who produce a helmet that does deep brain stimulation for treating depression.
In the summer of 2013 the Brainsway device for treatment of Major Depressive Disorder was validated by the FDA, and granted a wide indication for the treatment of Major Depressive Disorder patients. There was no looking back.
Besides, medical device security is far more interesting than DLP, plus there are almost 1000 medical device vendors in Israel with some really smart people in the field, which makes it an exciting place to be.
AMF: What does the arena of MedSec encompass in its entirety?
Lieberman: Medical device security (or MedSec as you call it) is in many ways fundamentally different than traditional IT security.
The IT computing paradigm has not changed in almost 20 years – it is still based on client-server computing with clients that are browsers, tablets or phones and servers that are located on customer premises or in the cloud. The security paradigm is still firewall/IPS on the server side and anti-virus on the client side when you boil it down and strip away the marketing smoke and mirrors.
MedSec on the other hand requires a more a-priori approach due to the regulatory, software and operating environments in hospitals (or at home) and applications (indications as they are called in medicine).
There is no one-size fits all solution and in many cases, it may be impossible to even install and maintain an anti-virus. For sure – the high level issues are the same everywhere; confidentiality of patient information, data integrity and system availability, but that’s pretty much where it stops.
I like to think of medical devices on a hospital network like tools and weapons used by soldiers on a battlefield – a hostile environment where people can get killed because of buggy software.
AMF: What kinds of medical devices are most at risk – implanted, external?
Lieberman: That’s a really good question: What and who is at risk here.
There is an incredible diversity of innovative devices, smart phone devices, intrusive devices such as ICD (implanted cardiac devices such as pacemakers and defibrillators), non-intrusive devices such as bedside monitors, diagnostic devices in every conceivable field from neuroscience to cardiology and behavior disorders and combinations of intrusive and non-intrusive devices such as cardiac catheterization devices that perform graphic visualization and interface in real time with ultrasound and ablation devices.
In fact – the device itself is rarely at risk. There is of course, patient safety risk.
The whole area of being killed by code has been extensively covered – I gave a talk on this at the Mobile Security conference in Herzliya in 2010. Patient safety is the main concern of the FDA, and they are taking a closer look at mobile devices, although they are moving a lot slower than the mobile device developers.
For a device in a hospital, the asset at risk is the hospital enterprise network. As Spock said in Star Trek II – “Logic clearly dictates that the needs of the many outweigh the needs of the few”.
AMF: What puts the devices at risk – malware, lack of encryption, lack of secure coding, firmware weaknesses?
Lieberman: We see all of the above in our engagements with medical device vendors. A lot of medical devices use Windows and that means vulnerabilities to malware on removable media and Windows auto-run. We have clients that migrate to Linux because they have much better control of the operating system and removable device drivers.
Remember that in many cases – the entire IT security paradigm of a centralized security management console is irrelevant for the medical device since the device itself is embedded, locked down, and located on a private VLAN in the ICU (intensive care unit).
We usually don’t encounter the garden variety of spear phishing attacks that you get in IT environments simply because medical devices interact with the patient or physician. Many diagnostic and monitoring devices do not have Internet access, but that is changing as device vendors discover the business and operational opportunities of using the cloud for providing new services such as automated remote analysis of imaging data.
AMF: So what is the motivation behind medical device attacks – to steal data? To injure or kill?
Lieberman: Great question – what threats really count? The proof of concept attack on an ICD was first reported by Kevin Fu and his team at U-Mass Amherst, and it has been widely cited as a how it would be possible to kill a politician with an ICD using a drive by wireless attack.
This is of great concern because most of these manufacturers have not done a great job on their wireless command and control protocol. Stealing PHI is probably far more common simply because most hospitals in the world still use flat access control schemes, which means that a doctor in geriatrics can view the medical records of a patient in the ICU.
We also see economic motivation where an attacker will seek to exploit medical device software vulnerabilities in order to add functionality or extend operational lifetime of a disposable without paying the device vendor.
AMF: What’s the typical profile of a medical device attacker compared to non-med attackers?
Lieberman: Excluding cases where a country or criminal organization wants to kill or injur someone, the motivation is always economic.
Like with people that steal credit cards can sell them on the dark net, PHI is also of economic value but for different reasons – an insurance company wants to contest a claim by a patient, an employer wants background on a candidate, and they may use stolen PHI to “enrich” background information.
And as I mentioned, hospitals or device distributors may hack the device in order to extend functionality without paying for it. It’s always about the money.
AMF: How can these devices be hardened?
Lieberman: The first thing we always do is a thorough threat analysis of the device and its connected environment.
We ask tough questions related to the business assets and financial value, we analyze what threats really count, we dive into the product and discover vulnerabilities and only then do we develop a cost-effective, prioritized set of countermeasures that is specific to the particular device.
If I had to give some 40,000 foot advice to a device vendor, I would say do 3 things: 1) Do a quantitative threat analysis; 2) Use Linux; and 3) Forget about anti-virus as an adequate defense.
AMF: How secure can medical devices ever really be secured?
Lieberman: There is no such thing as perfect security, as you know. I think that if we adopt an open source philosophy of “more eyeballs on the problem are better,” and base our medical device product development on rigorous threat analysis, then we can get MedSec as good as it can be.
AMF: Who’s responsibility is it to ensure medical device security?
Lieberman: This is a tricky question. It’s the golden rule: “He who has the gold rules”.
In our experience – most MedSec projects are driven by HIPAA, and when you read the Appendix A Security Rule carefully you will see the battle lines forming up nicely where hospitals own security on the policy and procedure side and medical device vendors own the software and operational security piece. Remember my analogy of a battlefield.
AMF: Who is putting the pressure on to improve security?
Lieberman: For sure, HIPAA is the driving force. Europe is a bit different with the EU Data Protection law coming into reality in 2014, but each country has a different take and set of regulatory requirements.
France is different from UK is different from Germany on the regulatory side of things, but at the end of the day if your medical device has strong security – your regulatory consultant and lawyer can handle the rest.
AMF: What can stakeholders learn from other IT sectors on security?
Lieberman: Be humble.
AMF: What’s the future look like (3, 5, 10 years)?
Look at the mobile device and cloud computing markets, and you will see where medical devices will be in another 3-5 years.
Ten years out – skin-mounted devices will be common, and these pose a whole new set of challenges totally different from the current IT security paradigm. You will be able to buy a pack of disposable cardiac monitors that apply like a band-aid at your local pharmacy.
See my essay on skin-mounted devices here.
- Building OS X Trojans with AppleScript, Homoglyphs and iTunes
- Vulnerability: Who is Watching Your IP Camera?
- How Risky is Google Apps for Your Business?
- Your Enterprise Vulnerability Management Reality Check
P.S. Have you met John Powers, supernatural CISO?