Panelists decry lax security in medical devices

Austin, Texas -- Security for medical equipment such as MRI machines to and pacemakers is woeful, even though these devices today connect to networks and sometimes face risks from malware or hacking, according to a panel of university researchers speaking at this week's Design Automation Conference.

Applying encryption and strong authentication to protect implantable patient devices to prevent tampering is still largely in the research phase, these experts say. But when it comes to hospital equipment that uses commercial operating systems such as Microsoft Windows, the manufacturers are too often reluctant to patch security holes, and sometimes even tell hospital staff the lie that the Food and Drug Administration (FDA) doesn't allow it.  

Background:Medical device security isn't well tracked, research found

Kevin Fu, associate professor at the University of Michigan, said he knows of a large Boston hospital in which Windows XP is part of MRI processes and they haven't been patched since 2007. Fu said hospital staffers have told him they're not allowed to update these devices. The excuse, which is heard often, says Fu, is that medical-device manufacturers say the Food & Drug administration (FDA) won't allow updates, which isn't true.  

Updating medical gear is hard but it has to be done, said Fu. He also noted that sometimes the way that medical-device software updates are supplied is very lax in terms of security. For instance, Fu said he's seen a hospital ventilator manufacturer post a software update on its website. But when Fu visited the manufacturer's website, he got a security warning on his own computer that "visiting this site may harm your computer" because the manufacturer's site had been infected with malware and was distributing it.

"As far as I know, malware didn't get into the ventilator itself. We just know the vendor's website was distributing malware for 90 days," Fu said.

But some medical-device manufacturers aren't so timid to step up to the security challenge. Boston Scientific Corp., which makes a line of implantable cardiac medical devices, was represented on the DAC panel by Ken Hoyme, a senior fellow in the systems engineering arm of the firm.

The range of implantable cardiac devices designed by Boston Scientific do not use third-party commercial operating systems like Microsoft, said Hoyme. Nevertheless, modern approaches to networking and information sharing do mean that these implantable devices are designed for maintenance via wireless networks.  

While strong authentication and encryption are good security ideas, they are difficult to apply to implantable devices mainly because a patient might suddenly have an emergency in which access to the implantable device is needed immediately by a medical professional at any time and place. So the dilemma is that security might actually impede safety.

While the FDA certainly doesn't ban patches, the FDA approval process is fairly lengthy for changes of any kind, Hoyme noted, saying Boston Scientific typically experiences anywhere from one to nine months.

Medical devices such as pacemakers take years to develop and be approved by the FDA and are designed to have long battery life and durability of a decade. So planning for security risk is complicated based on such a long timeframe, Hoyme and other researchers agree."The industry has a lot of challenges," acknowledged Hoyme. Boston Scientific itself is defining an encryption approach it hopes to apply in the future. But the reality for the industry is that it must acknowledge the potential for attackers to try and tamper with implantable devices and supporting software used to remotely maintain them.

Also speaking on the DAC panel, Niraj Jha, professor electrical engineering at Princeton University, said the broad range of medical devices has basically opened "a big attack surface."

Threats range from wireless tampering, wireless battery draining, malware and software exploitation, and various side channel attacks related to tampering, he said. Looking at implantable devices, he pointed out they are really embedded systems" associated with a "body area network."

It's become an accepted idea that medical devices can be compromised, as researchers have publicly demonstrated in the past, such as McAfee researchers last year did through a remote compromise of an insulin pump, Jha noted.

Jha said it's fairly simple for an attacker to put together an attack tool to intercept radio communications based on about $800 worth of hardware and software that can be easily found and carry out attempts to compromise some medical devices from 20 meters away.

The question now, said Jha, is what can be done to improve this inadequate security. University researchers are tackling the problem in various ways, he pointed out. Princeton and Purdue researchers teamed last year to come up with a kind of firewall for implantable devices called MedMon that would be used in pacemakers, insulin-delivery systems and brain implants. "It's like a firewall, it monitors traffic," said Jha. "It snoops on all communication to and from the device." If it detects an anomalous pattern or what it deems to be a malicious signal, it jams it.

Jha noted that researchers from Massachusetts Institute of Technology came up with what's called "Shield" that's intended to protect the security of information flowing from implantable medical devices and  jam all unencrypted commands to the implanted device.

But the security problems in medical devices that summon up research concepts based on firewalls and encryption still haven't been ironed out in a way that would enable widespread use. Efficient encryption is hard not only because of the key exchange challenges but because encryption adds considerable overhead processing. However, one researcher on the panel, Ingrid Verbauwhede a professor from Katholieke Universiteit Leuven in Belgium, pointed out elliptic-curve cryptography is likely the most efficient technology for this.

Ellen Messmer is senior editor at Network World, an IDG publication and website, where she covers news and technology trends related to information security. Twitter: MessmerE. E-mail:

Read more about wide area network in Network World's Wide Area Network section.

Join the CSO newsletter!

Error: Please check your email address.

Tags MicrosoftsecurityUniversity of Michiganhealth careindustry verticalsWide Area Network

More about IDGMassachusetts Institute of TechnologyMcAfee AustraliaMicrosoftTechnology

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Ellen Messmer

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts