Panelists decry lax security in medical devices

Austin, Texas -- Security for medical equipment such as MRI machines to and pacemakers is woeful, even though these devices today connect to networks and sometimes face risks from malware or hacking, according to a panel of university researchers speaking at this week's Design Automation Conference.

Applying encryption and strong authentication to protect implantable patient devices to prevent tampering is still largely in the research phase, these experts say. But when it comes to hospital equipment that uses commercial operating systems such as Microsoft Windows, the manufacturers are too often reluctant to patch security holes, and sometimes even tell hospital staff the lie that the Food and Drug Administration (FDA) doesn't allow it.  

Background:Medical device security isn't well tracked, research found

Kevin Fu, associate professor at the University of Michigan, said he knows of a large Boston hospital in which Windows XP is part of MRI processes and they haven't been patched since 2007. Fu said hospital staffers have told him they're not allowed to update these devices. The excuse, which is heard often, says Fu, is that medical-device manufacturers say the Food & Drug administration (FDA) won't allow updates, which isn't true.  

Updating medical gear is hard but it has to be done, said Fu. He also noted that sometimes the way that medical-device software updates are supplied is very lax in terms of security. For instance, Fu said he's seen a hospital ventilator manufacturer post a software update on its website. But when Fu visited the manufacturer's website, he got a security warning on his own computer that "visiting this site may harm your computer" because the manufacturer's site had been infected with malware and was distributing it.

"As far as I know, malware didn't get into the ventilator itself. We just know the vendor's website was distributing malware for 90 days," Fu said.

But some medical-device manufacturers aren't so timid to step up to the security challenge. Boston Scientific Corp., which makes a line of implantable cardiac medical devices, was represented on the DAC panel by Ken Hoyme, a senior fellow in the systems engineering arm of the firm.

The range of implantable cardiac devices designed by Boston Scientific do not use third-party commercial operating systems like Microsoft, said Hoyme. Nevertheless, modern approaches to networking and information sharing do mean that these implantable devices are designed for maintenance via wireless networks.  

While strong authentication and encryption are good security ideas, they are difficult to apply to implantable devices mainly because a patient might suddenly have an emergency in which access to the implantable device is needed immediately by a medical professional at any time and place. So the dilemma is that security might actually impede safety.

While the FDA certainly doesn't ban patches, the FDA approval process is fairly lengthy for changes of any kind, Hoyme noted, saying Boston Scientific typically experiences anywhere from one to nine months.

Medical devices such as pacemakers take years to develop and be approved by the FDA and are designed to have long battery life and durability of a decade. So planning for security risk is complicated based on such a long timeframe, Hoyme and other researchers agree."The industry has a lot of challenges," acknowledged Hoyme. Boston Scientific itself is defining an encryption approach it hopes to apply in the future. But the reality for the industry is that it must acknowledge the potential for attackers to try and tamper with implantable devices and supporting software used to remotely maintain them.

Also speaking on the DAC panel, Niraj Jha, professor electrical engineering at Princeton University, said the broad range of medical devices has basically opened "a big attack surface."

Threats range from wireless tampering, wireless battery draining, malware and software exploitation, and various side channel attacks related to tampering, he said. Looking at implantable devices, he pointed out they are really embedded systems" associated with a "body area network."

It's become an accepted idea that medical devices can be compromised, as researchers have publicly demonstrated in the past, such as McAfee researchers last year did through a remote compromise of an insulin pump, Jha noted.

Jha said it's fairly simple for an attacker to put together an attack tool to intercept radio communications based on about $800 worth of hardware and software that can be easily found and carry out attempts to compromise some medical devices from 20 meters away.

The question now, said Jha, is what can be done to improve this inadequate security. University researchers are tackling the problem in various ways, he pointed out. Princeton and Purdue researchers teamed last year to come up with a kind of firewall for implantable devices called MedMon that would be used in pacemakers, insulin-delivery systems and brain implants. "It's like a firewall, it monitors traffic," said Jha. "It snoops on all communication to and from the device." If it detects an anomalous pattern or what it deems to be a malicious signal, it jams it.

Jha noted that researchers from Massachusetts Institute of Technology came up with what's called "Shield" that's intended to protect the security of information flowing from implantable medical devices and  jam all unencrypted commands to the implanted device.

But the security problems in medical devices that summon up research concepts based on firewalls and encryption still haven't been ironed out in a way that would enable widespread use. Efficient encryption is hard not only because of the key exchange challenges but because encryption adds considerable overhead processing. However, one researcher on the panel, Ingrid Verbauwhede a professor from Katholieke Universiteit Leuven in Belgium, pointed out elliptic-curve cryptography is likely the most efficient technology for this.

Ellen Messmer is senior editor at Network World, an IDG publication and website, where she covers news and technology trends related to information security. Twitter: MessmerE. E-mail: emessmer@nww.com.

Read more about wide area network in Network World's Wide Area Network section.