Medical devices are critical to our healthcare system. It is becoming increasingly realized that the security profile of many networked medical devices may not be optimal thus rendering the devices vulnerable to hacking or malware. There are a number of examples of medical devices that have been hacked including insulin pumps and implantable defibrillators, and it’s likely that many more medical devices are also vulnerable.
One of the key tactics hackers use to identify an exploitable vulnerability is fuzz testing. Importantly, this exact technique can be used to harden a medical device if manufacturers deploy it at the time of system design, build and testing. While fuzz testing alone is not sufficient to identify all medical device vulnerabilities, it does represent an important tool to further ensure that medical devices are as secure as possible and therefore plays an important role in the promotion of patient safety and privacy.
This article provides a brief introduction to fuzz testing, which the Medical Device Innovation, Safety and Security Consortium (MDISS) recommends using to make medical devices more secure. For those interested in a more detailed review of fuzz testing and a structured approach to the deployment of fuzz testing, a white paper is accessible on the MDISS website in the latest public document section located at http://www.mdiss.org/media/6004/codenomicon-mdiss-fuzz-framework-16.pdf
Fuzzing is a technique for improving the safety and reliability of software and firmware in medical devices. Fuzzing locates unknown vulnerabilities and other defects by sending malformed and unexpected inputs to software.
Software and firmware are woven into the fabric of society. While technological advances can be exhilarating, corresponding risks have also emerged. When software or firmware does not work as intended, or when attackers use software and firmware for their own purposes, the consequences can be severe.
Nowhere is this risk more immediate than in the medical community where a patient is more likely to be exposed to one or more networked medical devices that are critical for diagnosis or treatment. The scale of the exposure becomes clearer when one considers that the Center for Disease Control and Prevention (CDC) estimates that there are approximately 1 billion patient encounters annually in the USA.
While the landscape of medical devices is very diverse, the software that runs each of these devices impacts quality of care and patient safety. Software quality and the process of hardening medical device systems is important for all devices, including implantable pacemakers, surgical robots, large machines delivering precise doses of life-saving radiation, or the electronic health records systems that must safeguard protected health information (PHI) and the integrity of data that is used for clinical decision making.
The increasing complexity of software mandates vigilance to ensure that software works as intended. Unfortunately, software frequently fails in the face of unexpected or malformed inputs, also called fuzz. Fuzz can happen when software encounters real-world conditions, such as interacting with humans or machines that don’t behave as expected. Fuzz can also happen deliberately if an attacker wishes to gain control of a system or disrupt the normal operation of a piece of equipment.
When failures are found, they can be fixed, which makes the software more robust and more secure. The Institute of Electrical and Electronics Engineers (IEEE) defines robustness as the degree to which a system or component can function correctly in the presence of invalid inputs or stressful environmental conditions.Having a properly functioning system, despite the unpredictable, is essential in the medical systems world in order to keep patients alive and information confidential.
Fuzzing is appropriate for medical device manufacturers, computing and network equipment manufacturers, healthcare delivery organizations (HDOs), researchers, and the organizations that live in the medical industry supply chain. However, it is critical that medical devices that are being used for patient care never undergo fuzz testing, but rather fuzz testing should be performed on medical devices in an isolated testing laboratory or at the site of manufacture so that the tested device can be cleared of the fuzz inputs and properly recalibrated to manufacturer specifications before being used in a live clinical setting.
Device manufacturers should use fuzzing as a part of their software development life cycle. Finding and fixing more bugs during product development will result in products that are safer, more robust and more secure. Finding and fixing bugs before products are released results in measurable cost savings for the manufacturer, providing a significant return on investment for the cost of tools and testing because there will be fewer incidents of medical device issues that would require implementation of risk mitigation strategies or recalls in the postmarket period.
The full white paper (http://www.mdiss.org/media/6004/codenomicon-mdiss-fuzz-framework-16.pdf) on fuzz testing presents a framework for the application of fuzz testing as well as use cases in the medical and telecom industries.
Dale Nordenberg, MD
Medical Device Innovation, Safety and Security Consortium
Principal Security Engineer