This year both the healthcare industry and the medical device sector have been shaken by cyber-attacks and warnings of cyber-security vulnerabilities. From WannaCry affecting the operations of NHS services to implanted devices containing vulnerabilities that could potentially lead to patient harm, the industries have been made aware of the dangers of a lack of cyber-security.
To talk about the issues of cyber-security, Medical Plastics News spoke to Rusty Carter, VP of Product Management at application protection company Arxan Technologies. Carter has been in the security business for almost 20 years working for companies such as Symantec and McAfee. We discuss why the healthcare industry has become a prominent target for cyber-attacks, what medical device manufacturers need to do to protect their IP and, how WannaCry has affected cyber-security awareness.
How concerned should patients be about any potential vulnerabilities in smart connected devices?
What I’ve seen in the market and what I’ve seen from a threat point of view, is that the biggest risk today is in smart devices. If you think about an implantable device like a pacemaker, there’s ultimately a mobile or desktop app that’s going to connect to that in order to configure it. Really when we look at threats across any technology and industry, it’s the path of least resistance that the attackers are going to go after. Today that’s definitely on the app side because they’re easy to obtain and, even though the industry is learning, in many cases they’re not protected. When a patient is looking at an implantable device they should be concerned with what can connect to that device. It’s as much to do with the app that’s running on someone’s phone or tablet, as it is getting access to the physical device.
What do developers need to do to protect their apps?
Certainly code quality is a fundamental aspect, but ultimately the threats are coming down to reverse engineering of those applications. The manufacturers that are creating apps for their medical devices, should look at security as a foundational principle of their application; anything their application needs to do should be secured. From a communications standpoint, as well as the code and protection of the application itself, authentication and communication between device and app, as well as the privileges of that app, are important.
What about on the medical device side. What do the manufacturers need to do to make their devices secure?
On the devices themselves, legitimate authentication of the application and device is vital. For example, a pacemaker manufacturer will want their device to only allow connections from their own app. This mutual authentication ensures that it’s not someone attempting to attack the API (application processing interface) of the medical device. What we see most often is once the attacker has reverse engineered the application they will pretend to be a legitimate application; so things like cryptography, sign-in, and secure authentication between a device and the app are really critical.
Since WannaCry has there been an increase in awareness regarding security?
Awareness of security is growing. Within the medical industry the network attacks have raised attention, and the use of ransomware within hospitals and the industry is definitely increasing awareness. The positive outcome is that the hospitals and providers are going to start to protect their networks better. Really it’s the warning that medical device manufacturers need to bolster their security immediately, because all of these devices are connected. Ultimately they’re going to be subject to either a ransomware attack, intellectual property (IP) theft or some other attack. More often I think it’s in the business interest of device manufacturers to protect their applications because so much of their technology is in software as opposed to hardware which is becoming more generic. The IP is in the design and the software and so protecting that from theft is really important.
“These are life-saving devices and the ransom attack is a particularly effective one because you’re not holding hostage someone’s bank account, you’re holding hostage their life and health.”
What do users of these devices have to be worried about?
The end users actually need to be sure that they have legitimate devices and legitimate apps accessing those devices. From the IP aspect we’ve seen a number of customers protecting their applications because of a risk to patient safety by another product which is essentially a knock-off.
Healthcare has become a prominent target of cyber-attacks this year, what entices attackers to target this industry in particular?
It’s a combination of a couple of things. The first is that path of least resistance; other industries have started to ramp up their security. And then there’s a realisation that all of these devices are protecting life. In many cases these are life-saving devices and the ransom attack is a particularly effective one because you’re not holding hostage someone’s bank account, you’re holding hostage their life and health.
With the number of apps out there has it become easier for hackers to reverse engineer applications?
To some extent. I think as device manufacturers consider and weigh the options of open platforms, where they’re developing the device and the APIs and some level of an SDK (software development kit) or some software that connects to their device, opening up the ecosystem to other players can potentially provide some business value. However, it also comes with the risk of the quality of the developer as well as a risk to the patient safety. I think that the general expansion of software knowledge – the pejorative term for entry-level hackers is the script kiddie – and if the software isn’t difficult to engineer, then creating a version that can attack it is much easier. The barrier of entry decreases with the level of general knowledge and the lack of security on those apps.
What are your thoughts on the FDA pursuing the regulatory market in the digital health space?
I think guidelines will certainly be important and provide a framework for device manufacturers to operate in. It’ll be interesting to see what happens. I think ultimately the proprietary nature of a lot of medical technology should remain with the software developer, but from an FDA guidelines and safety point of view they should be requiring some level of security for any device that can be connected to it. And really beyond the software or the firmware that’s running on the device it’s the software that connects to it that should comply to guidelines around protection and security.