Recently the security of network-enabled medical devices has earned a lot more attention as a result of new FDA draft guidance.
The challenge now facing the medical device industry is how to secure these devices and protect against future attacks. Simply bolting new security features onto a product rarely works well, and changes at the end of product development are often expensive. Also, depending on the changes, it could mean recertifying the device.
Medical devices have some unique challenges here because security needs to be incorporated into both the hardware and software components of the device. Although a lot of research and work has been released on integrating security into the software development life cycle, very little work has been done on how to integrate security into hardware development.
There are number of different product development life cycles used to design and develop medical devices. At a high level all product development follows roughly the same steps of specification, design, development, testing, manufacturing and delivery.
Breaking the Flow – Adding Security into Product Development:
The proper way to address this problem is to integrate security into the product development life cycle.
+ Specification - During the Specification Phase the concept for the product and specifications are developed. During this stage, threat modeling should be performed to determine what types of threats are likely to attack the devices. Most manufactures do not have staff trained on how to perform threat modeling; therefore, it is recommended a third party such as SecureState perform this. Then security requirements should be based off of the threat modeling and regulatory demands the device must meet. These security requirements must be included in the overall device specifications.
+ Design - During the Design Phase the engineers take the product specifications and requirements defined above and use them to start designing the device.
Once the design is complete a security design and architecture review should be performed to make sure the design meets the security requirements established during the specification phase. This can be done using a third party like SecureState or another group inside your company, assuming they have the proper training and are separate from the team developing the new product.
If a proof of concept is created, penetration testing should be performed on the device to identify other attack vectors which may not have been thought of during the Specification Phase. It is important to note what security features have not been implemented, so time isn’t wasted testing items that have not yet been added.
+ Development - Often the Development Phase is split between hardware and software, although they may be intertwined.
In this blog I’ll be focusing on the hardware side, given the previous work already done on how to secure software development.
As the hardware is developed, security testing needs to occur as new features or functionality are added to ensure they do not introduce new vulnerabilities.
+ Testing - Once the device is developed, functional testing begins to verify the device meets specifications.
At this time, a final security review of the device should be performed. Once this occurs, a penetration test should be performed on the device to look for new vulnerabilities or weaknesses in the device.
+ Manufacturing - As the devices are manufactured, it is important to ensure the security specifications remain in place and new vulnerabilities are not introduced into the design.
During this phase, it is not unusual for small changes in the device to occur as final bugs are worked out. As these changes occur it is important to make sure they do not impact the security of the device.
+ Delivery - Documentation explaining the security features of the device, and how to implement them, needs to be provided to the customer. This is especially important when delivering devices to care providers who have to customize them for their environment.
+ Maintaining a Secure State – Securing the device does not stop once it is manufactured.
Although the steps performed above should help minimize the number and severity of bugs present in a device, it will not remove all vulnerabilities. Therefore a process needs to be created to address new vulnerabilities as they are discovered. This process should include creating patches when able and educating clients on how to mitigate risks posed by vulnerabilities.
Finally, devices should be penetration tested annually to identify new vulnerabilities.The practice of hardware hacking is advancing quickly. As new tools and attack techniques are developed, it is important to test new and existing devices against attacks.
Where to Begin:
As you can see, integrating security into product development is not an easy task. The difficult part is usually figuring out where to start. If you already released a device or are about to release a new device, the best first step is to have a penetration test performed to determine how well it can resist attacks.
If you are about to start developing a new device, now is the time to engage SecureState to ensure you include security from the beginning.
In addition to the steps listed above, another key area to assist with developing secure products is training your engineers, developers and QA departments in security. Although this is a critical area it is outside the scope of this article. Until your staff is trained, the security assessments outlined above should be performed by a trusted third party such as SecureState.