Securing Your Intestinal Data

Medical devices that use IP or wireless protocols to pass data and instruction between the host and the client aren’t all that unique. What is unique is the diversity, intensity, and depth of today’s security breaches, particularly in the face of the emerging Internet of Things/Everything (IoT/E) and the general lack of security across such medical devices. These elements can lay these medical devices wide open to hackers, and they become another potential vector for malcontents to perform malicious and devious activities, both within networks and globally.

Are the glucose values of a particular patient really of any interest to anyone other than the patient and their doctor? Maybe. Hackers do things for a variety of reasons—some for profit, some for retribution, other just to see if they can. Is it really that far out to consider that some talented super-coder might stumble on such data and find it amusing to alter the numbers and create a panic? What if the hacker wasn’t just a bored, precocious 13 year old, but a devious, criminal mind intent on compromising that Bluetooth-based glucose meter with the intent of stealing the user’s identity to access bank data?

What if the patient was an individual of substantial standing? This may sound like the story line of a movie, but it’s more than theoretically possible to assassinate some high-value target by hijacking their pacemaker or insulin pump. And that freely available, seemingly worthless data of a cardiogram could be a risk factor. And what if such data can be captured by insurance companies and used against patients? Paranoid? Perhaps, but not beyond what’s technologically possible.

Armed with that realization, companies like NXP, Kaspersky, Infineon, and others that either specialize in, or have a large commitment to security, are beginning to offer medical device manufactures the opportunity to raise the bar and keep your private parts private.

Semiconductor Engineering posed a series of questions to these companies regarding security issues around medical devices. Their answers were enlightening, informative and in some case, brutally honest.

Question No. 1: What is the current state of securing medical devices hardware and software?

Jerome Schang, Cyber Security Segment Marketing Manager for NXP: “The portable medical market has been drastically evolving in the past two decades, in a connected world, and telehealth became a prevalent trend in medical devices’ technology. Currently available hardware and software solutions are fully vertically integrated by dominant players. They mostly rely on Bluetooth 2.1 EDR technology, which was first implemented in hospitals, and later deployed in patient’s homes. This happened before a central Cloud-based approach was an option.

“Telehealth home hubs and gateway aggregation devices intended to bridge data collection nodes (blood glucose, blood pressure, weight scales, oxygen saturation, peak flow meters, etc.), with central databases in a very unregulated environment. This fostered the development of proprietary solutions, which describes what is currently available on mature markets (United States and Western Europe).

“The Health Insurance Portability and Accountability Act, (HIPAA) of 1996, and The Health Information Technology for Economic and Clinical Health (HITECH) Act, of 2009 have made great contribution to defining privacy and security terms in the healthcare industry. However, the system lacks federal regulation to fill in the gaps dealing with sensitive information collected and transmitted by telehealth apps and software.”

As of May 2014, because the FTC does not set detailed requirements for data privacy or security, protection for telehealth devices not covered by HIPAA are dependent on technology vendor’s discretion.”

These answer by Schang paint a somewhat discerning picture. The fact that much of the security is left to a handful of vendors, and is proprietary, is never very good news. As is the fact that the government’s wheels are Turing slowly to plug the holes isn’t much better.

Michael Mimoso, Security Evangelist, Kaspersky Labs: “Not very good. Like most new technology, devices such as insulin pumps or defibrillators are not designed with information security in mind. Most of them can either be updated over the Internet or are capable of sharing patient data electronically. And most of them are secured with weak vendor-supplied default passwords that don’t get changed. This elevates the risk for patient data to be stolen or the device itself tampered with, which could put a patient’s life in jeopardy.”

Question No. 2: What are the unique issues with securing medical devices?

Schang: “Top medical privacy and security threats can be broken out under the following categories:

• Wearable sensors, and those located in a patient’s home that may unintentionally leak information about household activities.
• Transmissions from medical devices or apps that may be shared with third-parties advertisers that enable a premium-type usage. This results into targeted ads based on patient’s medical records or usage patterns.
• When patients give consent to health applications to handle their personal data and information, the burden of privacy’s responsibility shifts to the patients, which calls for better device’s encryption capabilities.
• Because patients are not considered as ‘covered-entity’ or ‘business associate,’ their information is not protected while collected by devices for telehealth purposes as it falls in the void space of HIPAA-regulated security.
• Some unsecured medical devices such as pacemakers, insulin pumps are more vulnerable to attacks than others depending on connectivity layers. Criminal scenario must be envisioned if such breaches could yield to a fatal outcome for the patient.”

There is a great deal of territory out there that has the potential for compromise or corruption. Some is policy addressable, others need to be tackled from a technology vector. In any event, the issue Schang brings up show that there is a long way to go.

Mimoso: “Many of these embedded computers share the same weaknesses as traditional computers. However, they are much more difficult to update or patch if there is a security vulnerability that needs addressing. Furthermore, depending on the device, some may communicate over the Internet and send patient data unencrypted. Couple that with weak or non-existent access controls, and those records could be stolen or manipulated by someone on the outside affecting not only patient care, but also patient privacy.”

As one can see, there seems to be quite a bit of work needed in the area of encrypting data as a rule.

Question No. 3: Because this is in life-safety, what must be considered in designing security into these devices, including ingestible cameras or eventually nanobots?

Schang: “Medical safety and medical data records security are two very different topics. Implantable and swallow-able devices follow a specific FDA classification. The most sensitive devices default into Class 3 when they support human life or present a potential risk of injury, such as pacemakers and invasive imaging tools. Such devices must have patient safety as the top priority in the security design.

“FDA 510k Premarket submission made to the FDA must demonstrate that any new device is safe, effective, and substantially equivalent to a legally existing marketed device. No official control or data security standards are applicable, although hardware redundancy and reliable operations mechanisms have to be documented against UL 60601-1 requirements.”

Well, it seems that device security for medical devices has some support within the FDA. That is good news although the statement that there are no official data security standards is a bit troubling.

Mimoso: “A lot of this is up to the vendors. US-CERT last year published guidelines for medical device manufacturers on the security of defibrillators, insulin pumps, pacemakers, anesthesia devices, ventilators, drug infusion pumps, patient monitors, and laboratory and analysis equipment. Those guidelines focused on better access controls and network security enhancements because these embedded devices ultimately need to be connected to a hospital network, for example. The guidelines also recommend a review of cyber security practices and policies.

“Additionally, and worth noting, white-hat security researchers have published lots of research on how to hack and alter pacemakers or wirelessly control insulin pumps, for example, with potentially catastrophic outcomes for the patient. A hacker sitting on a hospital network could take advantage of an unpatched vulnerability or a poor configuration on these devices, just as he could with a traditional desktop system. Therefore, anything that can affect a patient’s health or safety, has to be made bulletproof.”

Again, it’s up to the vendors. History has shown that leaving the wolf to guard the hen house is never a good idea. Guidelines are rarely enough to change the prevailing mentality. It is very interesting what Mimoso penned about the white-hat research. Hopefully medical device manufacturers will take that research seriously, going forward.

Semiconductor Engineering also spoke with Michael Armentrout, Infineon’s regional marketing/business development manager for chip card and security, about the biggest security issues facing the chip industry.

“Today, one of the issues of securing medical devices, at the hardware level, deals with authentication,” said Armentrout. “This addresses making sure that all the devices are authorized and that there are no counterfeit, cloned or unauthorized devices on the system. There are obvious safety concerns with having something unknown attached to the system. There are also obvious concerns with patient data privacy, especially as far as HIPPA is concerned. There is a focus on having a security product in place that will do things like data encryption and maintain secure channels of communications to ensure that this patient data isn’t compromised.”

Also of interest to companies looking at medical devices are such features as usage and lifecycle tracking to make sure you are using a device the way it was intended.

For example, making sure a medical consumable was not previously used,” said Armentrout. “You also want to make sure that only the authorized individuals have access to certain devices and equipment. In the medical industry, the usage of hardware security, in conjunction with software security is growing. However, there are a lot of variations in how much companies are relying on the combination of the two, versus just software, but we see statistics that tell us the combination of the two is of growing interest to medical device and system manufacturers.”

Infineon has created a lot of IP around security to make sure chips have protection against both known and theoretical attacks. But Armentrout noted that it isn’t always necessary to develop particular chips for medical devices, specifically. Rather, many of the security issues are generic in nature, and typical security countermeasures in standard off-the-shelf ICs can be used in many cases.

The advantage to that approach is it lowers the cost of production, and manufacturers will be a bit less hesitant to consider standard chips with countermeasures vs. custom chips with medical-grade designs. This is especially true if the risk of unique or medical-specific issues is considered rare by the manufacturer.

Conclusion
While each of these experts have different sets of metrics they focus on, there is a common thread. They all say security in the medical industry has room for improvement.

Progress has been made, both on private and the governmental levels. But there are still quite a few holes that pose serious concerns to patient safety and data security—and plenty of other possible weaknesses that haven’t even been considered yet.