Shodan, “The scariest search engine on the Internet,” according to CNN Money, is a search engine scouring the Internet looking for servers, webcams, printers, medical devices, and all the other devices connected to and making up the Internet of Things. Searches on Shodan provide a stunning amount of information. Would-be hackers find critical systems to attack. They conduct searches by city or GPS coordinates, and discover detailed information on devices and their vulnerabilities.
The details of Shodan, coupled with the June 13, 2013, ICS-CERT (Industrial Control Systems Cyber Emergency Response Team) publication of a list with more than 300 types of devices using hard coded passwords, presents a startling view of security for medical devices. The use of a hard coded password permits hackers to easily gain control of the medical device and is the sort of vulnerability that Shodan is adept at discovering.
Built-in cyber security protects medical devices from discovery by Shodan, shielding them from hackers and possible cyber-attacks.
Types of medical devices with known vulnerabilities (based on the Shodan searches and the ICS-CERT report) include:
- Glucose meters.
- Surgical and anesthesia devices.
- Fetal heart monitors.
- Drug infusion pumps.
- External defibrillators.
- Patient monitors.
- Laboratory and analysis equipment.
Security requirements for medical devices
In response to the ICS-CERT report, the FDA has issued guidance for OEMs developing and building medical devices. The FDA guidelines recommend device manufacturers include the following capabilities:
- Restricting unauthorized access to medical devices.
- Making certain firewalls are up-to-date.
- Monitoring network activity for unauthorized use.
- Disabling all unnecessary ports and services.
Given that many medical devices currently do not include any of the capabilities recommended by the FDA, and the prevalence of hard-coded passwords, it is clear a new approach is required to protect medical devices.
FDA Security Guidelines
Device Capability to meet FDA guidelines
Restricting unauthorized access to medical devices
Firewall services to limit access to known, trusted hosts (such as IP address whitelisting)
Making certain firewalls are up-to-date
Remote management of firewall policies
Monitoring network activity for unauthorized use
Firewall activity logging, event reporting to security management system
|Disabling all unnecessary ports and services||Firewall services to block unused ports and protocols|
Integrating a firewall into a medical device also enables the device to meet the FDA security guidelines.
Implementing Security in Medical Devices
As an engineer working on a medical device, what do these guidelines mean? Many medical devices are specialized products and the security solutions used for standard PCs won’t work for them. Meeting the security guidelines is clearly important, but doing so requires an approach customized to the needs of the device.
To ensure devices are protected from today’s cyber threats, device manufacturer must build enhanced security into the device itself. It is no longer sufficient to assume the device will be successfully protected by a corporate firewall. The device may not be deployed on a secure network, the corporate firewall could be breached, or an attack could be launched from within the network itself —the so-called insider attack. A layer of defense build into the device itself is critical.
An integrated firewall provides a basic, but critical level of security for a networked device by controlling which packets are processed by the device. The embedded firewall resides on the device and is integrated into its communication stack. The communication requirements of the device are encoded into a set of policies defining allowable communication. The firewall enforces these polices, limiting communication to the required IP address, ports and protocols specified in the policies.
Since each packet or message received by the device is filtered by the firewall before passing from the protocol stack to the application, many attacks are blocked before a connection is even established, providing a simple, yet effective layer of protection missing from most devices.
|Avi Rubin, a professor of computer science at Johns Hopkins University has spoken on the security risks posed by modern medical devices.|
Once the protected devices are deployed, it is critical to manage the security policies on the device and for the device to monitor and report invalid access attempts and other security threats. This is achieved by providing integration with enterprise security management systems. The firewall should include a management agent that enables:
- Configuration of filtering policies.
- Integration with enterprise security management systems.
- Reporting of invalid login attempts and other security incidents.
Security management system integration enables the protected device to notify the organization’s network management personnel of security issues and attacks, allowing efficient mitigation, and preventing issues from proliferating throughout the network. This type of networked security management is standard policy for PCs and servers. Medical devices are no different—they need to support built-in security and integrate with existing security management systems.
Medical devices are typically specialized designs, and as such, standard PC security solutions cannot be used to protect them. With the growing number of cyber-threats, it is critical to build security into the device. An embedded firewall solution such as Floodgate from Icon Labs can be used to add security and help meet the FDA Guidelines for cyber security, shield the device from Shodan and protect the device against cyber-attacks. By controlling who the device talks to, most attacks can be blocked before a connection is even established. Enterprise security experts have been utilizing a defense-in-depth strategy for a long time now. The cornerstone of this strategy is a firewall. This same strategy needs to be adopted to build secure medical devices.
David West is the Director of Engineering at Icon Labs, a leading provider of security solutions for embedded devices. You can reach him at firstname.lastname@example.org.