I recently read an article entitled “IoT and medical devices can be a scary combination” by Michael Hoffman from Polarion Software.
Given the spate of reports on vulnerabilities within medical devices this reaction is not surprising. And it’s not hard to imagine scenarios where highly connected medical devices result in loss of privacy. Much worse scenarios in which a cyberattack causes a medical device to improperly perform impacting patient treatment is also a serious concern and loss of life is not an unrealistic outcome.
Loss of data has already occurred. The FDA has published a safety notice concerning a network connected infusion pump that was vulnerable to cyber-attack. Clearly, there is reason to think of the IoT and medical devices as a scary combination.
But it doesn’t have to be. There are steps that design engineers can be taking today to ensure the security of their devices. Michael Hoffman’s article points to more proactive security measures being taken by the FDA, Department of Homeland Security and ICS-CERT and advocates for the use of requirements management software to help manage the complexity of software development and ensure that security is addressed appropriately. These are important steps to build secure, connected medical devices.
Another important step is to evaluate available security frameworks for building security into the medical device. There are a number of security features that are required for building a secure medical device, including encryption, security protocols, secure boot, and secure firmware updates, at a minimum. Rather than trying to build all of these pieces from scratch, or trying to integrate open source solutions that were not truly designed for embedded use, a commercial solution can be used.
A commercial solution designed for use in embedded devices can shorten development cycles, reduce complexity and have the benefit of being developed by teams focused purely on security. These products will have much wider use than in-house developed solutions with the resulting increase in quality.
IoT connected medical devices are complex devices with multiple attack vectors for hackers to exploit. But properly implemented, using an existing security framework, you can reduce complexity, increase security and help create the Internet of Secure Things.
