As medtech developers seek to reduce costs and provide improved patient monitoring and care, they are introducing wireless electronics to the market. The pace of development is slipping past “steady” and is now better characterized as “frenetic.” Embedded software is critical for collecting, managing, storing, and transmitting medical health data. But the security of these devices and the security of the patient data collected and stored in them present new challenges to the medical device industry.
One challenge, says Bryan Gartner, senior technology strategist at SUSE Embedded, is that there are so many options for interaction. “Some companies use middleware to connect to the hospital and some write their own code. And this creates potential attack surfaces,” he says. Understandably, he explains, hospitals are hesitant to open portals for device data because of the risk to patients.
SIDEBAR: SUSE Embedded in design
Dennis Vetrano, sales and business development manager, medical for SUSE Global Embedded agrees, saying more standards are needed. “Driving patient data to many areas in the hospital from varying devices and ultimately to the EMR has become very complex due to a lack of standards within the industry and internal hospital IT structure.”
SUSE Embedded is not trying to force standardization, says Gartner, but the company hopes to help mitigate the exposure by providing multiple tools on multiple levels that medtech designers can use. “We try to assist in securing architectures, offering guidance for the best tool for their needs.”
There are various ways in which some medtech companies might be unprepared for cyber security: Malware discovery in medical devices; transmitting unencrypted data; and overcoming a lack of comprehensive incident reporting to combat breaches are just a few.
Gartner says that, when it comes to malware, Linux software is generally delivered in granular packages that, at any time, can be checked to ensure they were signed and delivered as expected. He also suggests that devices take advantage of detection software that can be run over and over until it finds something out of the ordinary. “With tools like that you do your best to isolate and mediate those problems and their impact to the overall device’s functioning.”
For transmitting unencrypted data, Gartner says companies need to get a handle on data and make sure it is secure, both at rest and in transit. That requires some understanding of the options available, along with sound authentication and authorization principles. There is a lot of freedom of choice in encryption technology, he says. “It really is up to the designer to choose the most appropriate one for the situation.”
Gartner notes that there is a tradeoff between device compatibility and security. However, he suggests that in more cases, use WPA2-PSK (AES) for the connection and use AES methods for the data at rest. In addition, VPNs can offer more protocols and encryption options for the point-to-point connections, again with the layered defense approach.
Increasing connectivity increases cybersecurity risks. For most computer systems, explains Gartner, security concerns primarily revolve around the protection of the data or information and ensuring its integrity over time.
With medical devices, the scope expands further to ensure that functionality cannot be interrupted or changed beyond the intended purpose, since injury to users or operators is also at risk.
No matter what label a security threat or compromise may take, having connectivity increases the opportunity for exploits beyond what was traditionally only possible via physical access. Each connected device becomes a potential gateway to the overall ecosystem of other connected devices, possibly becoming the weakest link in the bigger picture. The fundamental properties of confidentiality, integrity and availability must be addressed with all designs, architectures, and implementations.
With Linux in general, and for SUSE Embedded specifically, Gartner says multiple tools exist at each of the layers of the OSI model to address these principles within a given design and set of constraints.
Making Linux secure
Linux is an alluring option because of its reputation for resistance to cyber threats. As Gartner notes, “The overall community of users, administrators and developers are quite knowledgeable on security, privacy and protection measures.” Many users select Linux specifically because of security concerns with other operating systems. “Developers often favor newer technologies and versions,” he says. “Given the culture of the overall Linux ecosystem around security and quickly addressing any issues, the confidence and respect for this operating system is well-earned.”
That said, Gartner emphasizes that security is a process, not a state of being. “Nobody should be complacent about potential cyber threats.”
To better understand Linux security, Gartner explains that Linux was designed as a multi-user operating system, with “specific access control paradigms. Because it is by nature, open sourced, security defects can be observed, traced to a root cause, and fixed by any interested party.”
Vulnerabilities are cataloged and fixes are made available often before being publicly disclosed. By the very nature of the development model, says Gartner, “projects like the Linux kernel are handled by a tiered group of submitters, moderators and maintainers before arriving in the public code stream.”
Linux distributors, like SUSE, Embedded take a snapshot of a set of releases and run their own significant testing, including security, to ensure a quality, reliable and robust offering for their customers. Further, he says, the distributors are also plugged into the vulnerabilities databases and the security community at large, to ensure customers receive timely updates to address threats and defects.
Prescriptions for risk management
Regulations such as IEC 62304 are good at being prescriptive, notes Gartner. These standards, says Gartner, “provide the framework for the documentation needed for the software artifacts of a medical device,” over its entire life cycle. By focusing on risk management throughout the process, the documents enforce a mindset to assess risk early and often, as well as mitigate risks consistent with the devices’ own criticality classification and exposure to use or injury.
Depending on the classification of the software (as product, system, unit, SOUP), these standards can vary, he says. But in general they provide supporting evidence to the device manufacturer of a mature, functioning process control over how the software is developed, tested, delivered and maintained.
Of late, Gartner says he has been impressed that FDA has begun to mandate timely security updates to devices as part of regular maintenance to minimize the risk of cyberthreats as they arise. However, he says, device companies may not be used to tracking and managing threats effectively.
A significant challenge is a fear of reporting. Gartner advises medtech companies to ensure that they not avoid reporting as a defensive move. One of the benefits of working with a distributor, he says, is that it allows a safer platform, or a protected mode, in which to engage in bug fixes and updates.
He adds that the fear of reporting is a historical problem in medtech. Some companies struggle to overcome the notion that after development, they shouldn’t touch the product because of FDA requirements. “This is where education in the process is important,” Gartner says.
Vetrano agrees it is a significant change in the business model. “It is becoming clear that medtech can’t ignore bug fixes.” He acknowledges that it changes the resource allocation for medtech product development. “Medical device companies have to mentally get behind the idea that in addition to the significant development costs, they have to maintain security once a product is on the market.”
In the last 24 months, Vetrano says, FDA has made clear that companies will be expected to update software with bug fixes and security patches and threat they will not have to refile for those changes. “SUSE Embedded provides that security, but we cannot force companies to implement the patches or bug fixes.”
He also notes that just because medtech won’t have to re-file with FDA for bug fixes, it doesn’t mean they don’t have to do the internal work. “They still have to document and test everything,” says Vetrano, “and that’s where some problems have risen.” Companies might not have the engineering bandwidth to retest and document. Here again, OS developers can be tapped to assist.
Gartner says that partnering with developers is a good strategy. “The key is that medtech companies can focus on validation of the device and desired functionality as a whole, rather than becoming OS engineers.”
Both Vetrano and Gartner say that medtech can’t simply rely on FDA to prescribe security. “We in the medical field look to FDA as captain of the ship. But sometimes you can’t just look at the documents,” says Vetrano. “You have to make sure you are doing the right thing. As well as the documents are written and as helpful as they are, your compliance is only as good as the people reading, understanding, and applying those principles. There is good guidance and structure, but it is up to the integrity of the company to put it into practice.”
The future of security
Long gone are the days in which software can simply be deployed and not updated for security issues, says Gartner. “Depending on the evaluation of the risk involved, the device manufacturer can determine how best to re-mediate the risk, by accepting and deploying a software update or by making configuration changes.”
“We live in an ever-more connected world, and the easy answer of isolation is not viable,” notes Gartner. However, he says, “with sound, security-based and tried and true architectures that also take into account the time-value of the data/assets being protected, it is possible to address cyberthreats in a rational, yet not overly complex or expensive fashion. Using diverse levels of protection is the best way to prevent problems.”