By Hugh Darvall, Flexera Software Director Australia and New Zealand.
From smart fridges and water coolers to the connected home and office, the internet of things (IoT) is a revolution that has brought with it endless possibilities. At the other end of the spectrum, there are serious concerns around the security challenges associated with the IoT, especially in regard to medical devices.
Millions of people around with world realised this concern recently with the US Food and Drug Administration warning about the susceptiblity of pacemakers to hacking. This echoes the concerns of a number of Australian doctors and cardiologists, who say thousands of Australians with pacemakers and defibrillators are at risk of cyber-security breaches.
The warning also brings home the overriding message to vendors and consumers alike that no internet-connected device is 100 per cent secure. If it is connected to the Internet, it can be hacked. Thankfully, software patches are now addressing vulnerabilities presenting the biggest risk, and are combating a number of threats.
The unthinkable is now very thinkable
Cybercriminals are moving away from what constitutes a traditional hacker. We are now seeing cyber attacks move beyond mere desktop computers to IoT devices, including medical devices. This demonstrates how cyber-security breaches are hitting home in a very personal way, going as far as directly affecting the health of those closest to us.
In order to protect the safety of patients and our loved ones, it is crucial for medical-device manufacturers to manage any risks related to software vulnerabilities within their own code, as well as monitor and react to vulnerabilities of any third-party or open-source software components they might be using in their devices. They should also have a strategy in place to send updates out to the right customers.
Vulnerabilities are errors in software that can be exploited with security impact and gain. If hackers launch an attack against internet-connected products, it can cause enormous damage to the medical manufacturer and their patients – either because the products are controlled by the hackers, or because the user data is extracted and abused by those hackers.
Consequently, medical manufacturers need to increase focus on the security of the device itself, as well as the software that controls the device. This includes careful code testing, continuous maintenance, careful mapping of bundled software and verified intelligence about any vulnerabilities in that software – as well as ample resources to react promptly and effectively as soon as vulnerability in the product is reported.
Reducing risks in five steps
Today, more than ever, it is up to medical-device manufacturers to be vigilant and mitigate the exposure associated with connected devices. They can do this in five simple steps:
- For medical applications that sit at the operating-system level, adopt tamper-resistance technology to protect software applications from hackers.
- Protect embedded software on the medical device from reverse engineering, and make changes at the machine level to strengthen protections.
- Ensure the applications on medical devices and mobile-device management systems have an easy, automated mechanism for getting the latest security patches and updates out as fast as possible.
- Proactively monitor medical devices for application issues.
- Provide a reliable and secure ecosystem with clear traceability through the supply chain – from initial software delivery to subsequent firmware/software updates on the device – as well as the ability proactively to disable devices at mandated end of life, or during product recalls.
As the news agenda progresses, there is now a strong shift from the advantages of IoT-connected devices to the associated risks of exposure. It is more important than ever to discuss how device manufacturers can embrace these products while keeping risks at bay, especially when it comes to medical devices. Doing so will stop making the unthinkable so thinkable.