A layered security approach improves protection and eases the burden on Healthcare IT.

Medical devices, such as infusion pumps, patient monitors and MRI scanners, can be just as susceptible to malware as standard computers. Keeping them secure in any networked environment is certainly challenging, and the stakes are particularly high for these particular applications since they can affect patient care and outcomes.

Proving this point, McAfee and a medical equipment manufacturer recently raised awareness of security holes with potentially life or death consequences; they identified a networked insulin pump with a security flaw, which allows the device to be hacked and subsequently administer a potentially lethal amount of insulin to diabetes patients. Although not typically the target of cyber-attacks, medical equipment can become “collateral damage” in a malware outbreak, or even be the weak link that opens the door to a cyber-attack.

As the complexity of the network increases, securing devices becomes more complex for both the manufacturers and hospital IT organizations. However, this complexity is reduced significantly when medical devices are designed for security using models similar to typical networked clients. This synergy enables hospital IT personnel to apply consistent security strategies across the network, making it easier to administer and monitor equipment. Moreover, as new technologies and methods roll out to thwart attacks, they can be implemented in a similar fashion across the network.

There isn’t a single security solution capable of addressing all future risks; instead, most would agree it’s necessary to implement a series of different defenses across the system. This can be done using properly implemented layered security that enforces security policy from the CPU to the application software, as outlined here and demonstrated by the Intel Medical Security Reference Platform. In the best case, devices will be fully protected; and in the worst case, malware is detected faster, allowing counteractive action to be taken before any harm is done.

Device Security Challenges Today

One of the challenges facing hospital IT organizations is the large variety of hardware and software systems they must manage and secure. Further complicating matters, many equipment manufacturers develop unique security solutions, often as the result of designing purpose-built solutions based on non-standard or proprietary components. Consequently, it can be difficult to determine whether they comply with the security policies of the purchasing hospital and if they will be maintainable for the expected life of the devices.

Devices based on non-standard platforms may present other drawbacks, including the need to send them to the manufacturer for upgrades, security or otherwise, making them unavailable for a period of time. Additionally, it may be more difficult to capitalize on the latest advancements developed to secure IT infrastructure built with standards-based computing technology. For instance, hardware-assisted virtualization offers security benefits by providing an additional layer of security protection that complements software-only solutions.

It can also be challenging for organizations to reach consensus on security policy due to conflicting viewpoints and goals of key stakeholders. As an example, security officers tend to advocate locking down systems to better protect the network, while IT managers gravitate toward opening up the network to deliver the best end user experience. A mutually acceptable course may be found with a layered security model implemented on standards-based platforms, which will improve device security and lower hospital IT support requirements.

Like other devices on the network, once compromised, medical devices could be the vehicle for launching all sorts of attacks. They can be used to harm patients, access patient records, initiate network attacks—like denial of service (DoS)—or spread malware to other systems on the network. To stop such actions, it is necessary to prevent hackers and malware from breaching the platform. While the basic principle behind securing a platform is conceptually easy to understand, it is far more difficult to realize in practice.

The guiding principle is to protect the system by ensuring that any malware that somehow infiltrated a system cannot execute; if malware is present on the system, it cannot be allowed to embed itself in system memory. In reality, however, the most problematic malware finds a way to load itself into memory and obscure its presence; consequently, the platform’s security mechanisms are unable to discover it and take appropriate action.

Layered Security Model

Although there are no ironclad solutions, a layered security approach, with safeguards deployed throughout the platform, goes a long way toward providing robust protection against the vast majority of attacks. The basic premise is that by creating multiple barriers, a device has more opportunities to discover the malware before it causes harm, which forces hackers to write more sophisticated malware in order to circumvent all the lines of defense. Additionally, a well-designed layered defense helps contain malware, thus increasing the possibility that a device can continue to perform safety-critical tasks even when attacked.

Figure 1

Figure 1

Using a layered security model, Intel, Wind River and McAfee developed a secure platform for medical devices, demonstrated by the Intel Medical Security Reference Platform. This proof-of-concept incorporates eight security safeguards spanning multiple layers: hardware, virtualization, operating system and services software, as shown in Figure 1. The platform is designed with off-the-shelf components, and it applies security policy consistent with standard IT practices.

Eight Safeguards for Protecting Medical Devices

In healthcare, networked medical devices can fall victim to all types of perpetrators using a wide variety of methods. This section explores potential vulnerabilities and suggests safeguards, implemented across the platform, that either prevent attacks or minimize their impact until corrective action is taken.

Objective 1: Stop unauthorized data copying

Data is the life blood of the connected hospital, and it has to flow freely to add value. But how accessible can sensitive data be, and can it really be protected in a world of outsourcing, portable storage devices, Facebook and Twitter?

Objective 2: Prevent untrusted code execution

Medical devices, unlike tablets and laptops used by hospital staff, typically run a predetermined set of applications that are carefully controlled by the manufacturer. Two approaches for ensuring only the trusted applications can execute are called blacklisting and whitelisting. PC users are familiar with blacklisting from running anti-virus software that searches for bad software and neutralizes it. Whitelisting is a “lighter” approach and is well-suited for embedded devices running only known, trusted software; the permitted code is enumerated, and any application or file not on the list is prevented from executing.

Objective 3: Interrogate incoming packets

Viruses often gain access to medical devices through the network. This common method of attack can be curtailed by locking down access so only legitimate communications are received and transmitted by the device.

Objective 4: Protect data and communications

Once compromised, a medical device can become a base from which a hacker launches attacks on other devices and systems on the hospital network.

Objective 5: Prevent unintended interactions between applications

A hacker can infiltrate one application with the intention of using it to gain access to another application’s data. After malware embeds itself in system memory, it will look for software applications and files to exploit by accessing their memory space. To reduce the harm malware can cause, restrict the number of software elements it has access to, thus greatly limiting a virus’ ability to move around. This can be achieved using virtualization technology to run applications in their own secured partitions.

Objective 6: Prevent device performance degradation due to poorly functioning code

Wreaking as much havoc as a virus, a badly coded application or an inadequately tested patch can consume copious amounts of computing resources, and ultimately have the same effect as a DoS attack. Left to run on unchecked, poorly functioning code can take precious CPU cycles and memory away from a medical device’s safety-critical applications, whose performance may degrade to the point of putting the patient at risk.

Objective 7: Reduce attack surface

Viruses frequently enter devices via network ports, so controlling this exposure can minimize security vulnerabilities.

Objective 8: Harden device against unexpected failures

The software complexity of modern medical devices makes it nearly impossible to exhaustively test for all the possible ways in which a system can be compromised. Negative testing, using techniques such as Fuzz testing, can alleviate some of this risk.

As of today, no single security solution offers 100 percent protection. Living with this reality everyday, hospital IT organizations must sort through countless solutions and support a large number of them. The complexity is multiplied by purpose-built medical devices incorporating unique and sometimes obscure solutions, which increases support effort.

Security cannot be bolted on as an afterthought at the end of the development cycle. Addressing security concerns must be part of the design process—from an analysis of all attack vectors that might be used by a hacker, through the selection of secure building blocks, to thorough security-focused testing—which is made an integral part of the medical device release checklist.

Moving forward, medical devices using standards-based platforms based on IT infrastructure can greatly simplify security management while offering state-of-the-art security protection. Another important criterion for security architecture is its effectiveness over the typical lifespan of devices—typically 10-15 years; such resiliency is enhanced by the Intel, Wind River and McAfee layered security approach outlined in this article.

 

Intel

Santa Clara, CA.

(408) 765-8080.

[www.intel.com].

 

Wind River

Alameda, CA.

(510) 748-4100.

[www.windriver.com].