What measures are in place to help protect medical devices from cyber compromise? President & CEO of Enigma Forensics, Lee Neubecker gained insight into the latest and greatest preventative measures being developed for medical devices. Lee sat down with the top engineer for Sterling Medical Devices, Keith Handler and explored technical measures applied to the manufacturing process of medical devices. Check out this video to learn all about the tech measures. You will be so much smarter if you do!
Part 3 of our 3-Part Series on Medical Devices
The video transcript of Preventative Measures: Medical Devices follows.
Lee Neubecker: Hi, I’m back on the show again with Keith Handler from Sterling Medical Devices. Keith, thanks for coming back.
Keith Handler: Hi Lee, thanks for having me.
LN: So in our 3rd segment on medical device security, we’re going to talk a little bit more about some of the hardware elements, how the software gets loaded onto medical devices and what things are in place to help protect medical devices from cyber compromises. So first, Keith, can we start off with telling everyone what FIPS 140-2 is and how that plays a role?
KH: Yeah, absolutely. FIPS is the Federal Information Processing Standard, 140-2 is the specific certification for encryption libraries. That certification means that those encryption libraries are proven to be usable and certified to be usable for federal systems and medical systems.
LN: Most hospitals require FIPS 140-2 for immediate devices if you’re transferring PHI, Patient Health Information. If you’re transferring that information to external storage, they want to make sure you’re using secure storage that meets federal information processing standards.
KH: Correct.
LN: So when you’re evaluating a device for security, what are some of the things that you do to help ensure that the firmware that’s stored on the chips is secure and safe?
KH: Well, an embedded device it’s a challenge, of course, you have limited space, limited capabilities typically, especially on lower power devices. If you’ve got the space and the ability, we can use hardware encryption chips, hard-circuits, those are usually the most reliable and the most performant. If not, there’s plenty of embedded libraries out there that are FIPS 140-2 certified. The main thing being that we never roll our own as far as encryption libs go, we use federally certified ones to ensure that we’re up to the current standards and encryption strength.
LN: Those standards change over time.
KH: Correct, yes.
LN: At one point and time, SHA-1 encryption used to be considered perfectly fine, but now with quantum computing, there’s been a rush to ditch SHA-1 and require SHA-2 as encryption library to help secure things.
KH: Yes, this brings up an important point actually. How do we keep things secure moving forward when new vulnerabilities are found, new attacks are found, libraries are cracked.
LN: Yeah so, what do hospitals and other healthcare providers need to be doing to ensure their devices stay secure once deployed?
KH: Well, hospital healthcare providers need to be making sure that they are up-to-date with the manufacture of all of their devices, that they are keeping apprised of any kind of recalls or anything like that. Manufacturers, the people that we typically deal with, product developers, their responsibility is to maintain a bill-of-materials, a cyber bill-of-materials; their libraries, their encryption circuits, make sure that they’re tracking the versions and things like that so that when a company has a vulnerability exposed, they can become aware and make updates and push them, software especially, as fast as possible.
LN: All right, so if an organization or a healthcare entity were to become compromised, have you been involved with supporting the client that underwent a cyber compromise?
KH: I have not, we’re usually in the earlier stages of developing the products prior to that occurring, and our products hopefully never get compromised.
LN: So I’d imagine though that if there’s a concern about the security of certain medical devices, that there’s a need to actually dump the firmware. Firmware is software stored on an embedded chip. But the firmware will persist after power-down, reboot to whatnot, but there is an ability to go and extract the firmware of the chip with the correct tools, such as a Bus Pirate, or other devices. And then what would you do to examine, if you had access to the firmware on a chip, how would you go about ensuring that that’s authentic?
KH: Well the first thing is if we’re going to push out firmware, things like that, you need to make sure that the device can know that it’s authentic. And we do things again, like digital signing, signature verification encrypting of that firmware package. That way we have a verification process in place to ensure that what we’ve got coming down is good.
LN: So that’s known as a hash.
KH: That’s part of it yes.
LN: So the hash value is the unique encrypted thumbprint generated by a hash algorithm and those hash values can be used to compare against the manufactures release version and what’s on the chip to determine, are they running the most recent up-to-date firmware, or are they running a older version or are the running something that’s rogue that is not known by the manufacturer.
KH: And that’s the real key, to make sure that what we’re running is what we expect it to be and not something that has been tampered with.
LN: How often are hospitals and IT staff actually auditing and checking their firmware?
KH: You know I’m not clear on that, but I would say almost certainly not enough.
LN: Yeah, so that’s one of the things that I know you’ve said earlier, that it’s important that all these entities using the devices, once they’re certified and deployed, there’s still a responsibility on the healthcare delivery organizations to make sure that they’re patching and updating those devices so that they keep the standards.
KH: Ideally. Nowadays, a lot more devices are connected, communicating out with central servers, and that gives them the advantage of being able to receive security updates, so it takes that middleman out, essentially, but that also opens up additional potential security holes that have to be considered and protected against.
LN: Yeah, and anything that comes to mind that you’re concerned about in regard to new threat factors?
KH: Well, you know, again, if I’m distributing firmware by handing it to you on a USB stick, you can be pretty certain that what I’m giving you is likely to be good. If I’m telling you download it from this site, you don’t know. For all you know, it could get tampered with in transit. So it raises a lot of additional risks.
LN: Do you think that there’s something to be said for going back to the old updates on CD, read-only media?
KH: Well, you know, information is what it is, and things mover faster nowadays, so I don’t know that it makes sense to move backward, it just means that we have to have more modern methods of protection.
LN: But thanks a bunch for being on this show. This is great stuff.
KH: You’re very welcome, and thanks for having me.
LN: It’s my pleasure.
