Preventative Measures: Medical Devices

What is a FIPS 140-2 and how does it play a role in medical devices? Are medical devices manufactured with security in mind? Experts Lee Neubecker and Keith Handler discuss medical device security.

What measures are in place to help protect medical devices from cyber compromise? President & CEO of Enigma Forensics, Lee Neubecker gained insight into the latest and greatest preventative measures being developed for medical devices. Lee sat down with the top engineer for Sterling Medical Devices, Keith Handler and explored technical measures applied to the manufacturing process of medical devices. Check out this video to learn all about the tech measures. You will be so much smarter if you do!

Part 3 of our 3-Part Series on Medical Devices

Part 3 of our 3-Part Series on Medical Devices

The video transcript of Preventative Measures: Medical Devices follows.

Lee Neubecker: Hi, I’m back on the show again with Keith Handler from Sterling Medical Devices. Keith, thanks for coming back.

Keith Handler: Hi Lee, thanks for having me.

LN: So in our 3rd segment on medical device security, we’re going to talk a little bit more about some of the hardware elements, how the software gets loaded onto medical devices and what things are in place to help protect medical devices from cyber compromises. So first, Keith, can we start off with telling everyone what FIPS 140-2 is and how that plays a role?

KH: Yeah, absolutely. FIPS is the Federal Information Processing Standard, 140-2 is the specific certification for encryption libraries. That certification means that those encryption libraries are proven to be usable and certified to be usable for federal systems and medical systems.

LN: Most hospitals require FIPS 140-2 for immediate devices if you’re transferring PHI, Patient Health Information. If you’re transferring that information to external storage, they want to make sure you’re using secure storage that meets federal information processing standards.

KH: Correct.

LN: So when you’re evaluating a device for security, what are some of the things that you do to help ensure that the firmware that’s stored on the chips is secure and safe?

KH: Well, an embedded device it’s a challenge, of course, you have limited space, limited capabilities typically, especially on lower power devices. If you’ve got the space and the ability, we can use hardware encryption chips, hard-circuits, those are usually the most reliable and the most performant. If not, there’s plenty of embedded libraries out there that are FIPS 140-2 certified. The main thing being that we never roll our own as far as encryption libs go, we use federally certified ones to ensure that we’re up to the current standards and encryption strength.

LN: Those standards change over time.

KH: Correct, yes.

LN: At one point and time, SHA-1 encryption used to be considered perfectly fine, but now with quantum computing, there’s been a rush to ditch SHA-1 and require SHA-2 as encryption library to help secure things.

KH: Yes, this brings up an important point actually. How do we keep things secure moving forward when new vulnerabilities are found, new attacks are found, libraries are cracked.

LN: Yeah so, what do hospitals and other healthcare providers need to be doing to ensure their devices stay secure once deployed?

KH: Well, hospital healthcare providers need to be making sure that they are up-to-date with the manufacture of all of their devices, that they are keeping apprised of any kind of recalls or anything like that. Manufacturers, the people that we typically deal with, product developers, their responsibility is to maintain a bill-of-materials, a cyber bill-of-materials; their libraries, their encryption circuits, make sure that they’re tracking the versions and things like that so that when a company has a vulnerability exposed, they can become aware and make updates and push them, software especially, as fast as possible.

LN: All right, so if an organization or a healthcare entity were to become compromised, have you been involved with supporting the client that underwent a cyber compromise?

KH: I have not, we’re usually in the earlier stages of developing the products prior to that occurring, and our products hopefully never get compromised.

LN: So I’d imagine though that if there’s a concern about the security of certain medical devices, that there’s a need to actually dump the firmware. Firmware is software stored on an embedded chip. But the firmware will persist after power-down, reboot to whatnot, but there is an ability to go and extract the firmware of the chip with the correct tools, such as a Bus Pirate, or other devices. And then what would you do to examine, if you had access to the firmware on a chip, how would you go about ensuring that that’s authentic?

KH: Well the first thing is if we’re going to push out firmware, things like that, you need to make sure that the device can know that it’s authentic. And we do things again, like digital signing, signature verification encrypting of that firmware package. That way we have a verification process in place to ensure that what we’ve got coming down is good.

LN: So that’s known as a hash.

KH: That’s part of it yes.

LN: So the hash value is the unique encrypted thumbprint generated by a hash algorithm and those hash values can be used to compare against the manufactures release version and what’s on the chip to determine, are they running the most recent up-to-date firmware, or are they running a older version or are the running something that’s rogue that is not known by the manufacturer.

KH: And that’s the real key, to make sure that what we’re running is what we expect it to be and not something that has been tampered with.

LN: How often are hospitals and IT staff actually auditing and checking their firmware?

KH: You know I’m not clear on that, but I would say almost certainly not enough.

LN: Yeah, so that’s one of the things that I know you’ve said earlier, that it’s important that all these entities using the devices, once they’re certified and deployed, there’s still a responsibility on the healthcare delivery organizations to make sure that they’re patching and updating those devices so that they keep the standards.

KH: Ideally. Nowadays, a lot more devices are connected, communicating out with central servers, and that gives them the advantage of being able to receive security updates, so it takes that middleman out, essentially, but that also opens up additional potential security holes that have to be considered and protected against.

LN: Yeah, and anything that comes to mind that you’re concerned about in regard to new threat factors?

KH: Well, you know, again, if I’m distributing firmware by handing it to you on a USB stick, you can be pretty certain that what I’m giving you is likely to be good. If I’m telling you download it from this site, you don’t know. For all you know, it could get tampered with in transit. So it raises a lot of additional risks.

LN: Do you think that there’s something to be said for going back to the old updates on CD, read-only media?

KH: Well, you know, information is what it is, and things mover faster nowadays, so I don’t know that it makes sense to move backward, it just means that we have to have more modern methods of protection.

LN: But thanks a bunch for being on this show. This is great stuff.

KH: You’re very welcome, and thanks for having me.

LN: It’s my pleasure.

View Part 1 of our 3-Part Series on Medical Devices

Part 2 of our 3-Part Series on Medical Devices

Other Related Articles

Overview of the FDA’s Medical Device Regulations

https://www.fda.gov/medical-devices/device-advice-comprehensive-regulatory-assistance/overview-device-regulation

Sterling Medical Devices website

https://sterlingmedicaldevices.com/

FDA Cybersecurity Regulations: Medical Devices

A cardiac pacemaker is a lifesaver for many and is considered an implantable medical device. The FDA imposes regulations to protect these devices. Experts Lee Neubecker and Sterling Medical Devices, top engineer, Keith Handler examine FDA Quality System Regulations, ISO standards, and FDA guidelines used by Sterling Medical Devices that are essential to the manufacturing practices.

FDA Cybersecurity regulations in medical devices is a tough topic! Consider the cardiac pacemaker, probably the most notable life-saving implantable medical device. Did you know that it is operated by a computer chip? Just like any other computer they can be vulnerable to cybersecurity breaches.

Experts Lee Neubecker and Sterling Medical Devices, top engineer, Keith Handler examine the FDA’s Cybersecurity quality system regulations, ISO standards, and guidelines followed by Sterling Medical Devices to ensure cybersecurity for all their devices.

Tune in to Part 2 of our 3 Part Series on Medical Devices

The FDA Cybersecurity Regulations: Medical Devices Video Transcript Follows.

Lee Neubecker (LN): Hi, I’m back on the show today with Keith Handler, Keith, thanks for being back on.

Keith Handler (KH): Thanks again for having me.

LN: And Keith, again, is from Sterling Medical Devices, and today we’re going to talk about what measures are in place, that the FDA imposes to help ensure cybersecurity on medical devices, especially safety of PHI, and safety of the operation of those devices for end-users. Thanks again for being here.

KH: Yeah, thanks for having me. So, cybersecurity. It’s a tough topic, and the FDA is still figuring out how exactly to deal with it. They have issued guidance that attempts to categorize how high the risk is of cybersecurity for a device and the basic standards you need to follow in designing, and testing, and documenting your processes for developing that device. That guidance is currently how we generally implement most of our analysis processes and controls. The FDA has chosen to recognize certain certifications, such as UL 2100-1-2.

LN: And what is UL 2100-1?

KH: 2100-1 is a certification for network-connected systems, as far as cybersecurity is concerned, and 2100-1-2 is a subset of that standard, specifically for medical devices connected to the internet or a network. Mostly that standard follows the 2100-1, with a couple of modifications, based on the fact that medical is safety-related.

LN: Have you seen any changes in the standard since the WannaCry attack that took out a lot of the UK hospitals?

KH: Nothing that I can point to specifically. You know, that really comes down to changing specific vulnerabilities, our knowledge about them, and the attack vectors that we know that are capable of executing these things, cataloging them, making sure that we plan for them in future designs.

LN: So I know Bluetooth is a protocol that’s vulnerable to exploitation. I think at one point in time, there was a warning that everyone should take their pacemaker and get it updated. Were you familiar with that?

KH: Yes.

LN: Can you tell people a little bit more about what happened?

KH: Yeah, well, in that specific case, I’m not actually 100% sure what occurred there, but most of the time your issues are, with a lack of authentication, a lack of encryption, you need to be sure that what the device is talking to on the other end is exactly who they expect it to be, what they expect it to be, and you have to make sure that that communication is secured and unchanged, unaltered. Typically, that’s done by using specific security libraries, integrating them in careful ways, making sure that all communication over the wire is encrypted, things like an asynchronous key generation.

LN: I think, just from my memory of events, one of the problems they discovered is that these protocols, there’s a period of time before authentication occurs, in the preamble when there’s broadcast of the Mac address, the wireless name, and whatnot, where there’s a potential to create an overflow situation, to actually compromise a device before encryption and authentication occurs.

KH: Yes, in certain system designs it is that way.

LN: And, unfortunately, these protocols are, you know, they’re everywhere. So, at the time, I believe that the chip makers and various equipment providers, not just only in the medical area, but across the board, had to create fixes that help protect against these types of cyber-attacks.

KH: Yes.

LN: So, you were talking about UL 2100-1-2, what about TIR57? Can you explain what that is?

KH: So, AAMI TIR57 describes how to marry up the processes of medical safety risk analysis and security analysis. It’s an attempt to show that the security analysis process is actually very similar and very familiar for anybody that’s done the safety risk analysis before. More of less, it takes ISO 14971 and applies security risk management to it with a mix of a little bit of some NIST standards in as well. But the general idea is to really categorize what assets you’re protecting in your system, and the known vulnerabilities that your system has, and then from there, you attempt to determine a list of known attack vectors and categorize the profiles of your possible attackers. With a combination of that type of information, you can assess what the real vulnerabilities and risks are for your system, and design in controls, from the ground up, to make sure that you’ve protected against them.

LN: Yeah, well, this is really fascinating stuff. I appreciate you being on the show, and I look forward to our next segment talking more about cybersecurity and how to keep these devices safe.

KH: Thanks again for having me, Lee.

Don’t Miss Part 1 of this 3-Part Series on Medical Devices

Part 1 of the 3-Part Series on Medical Devices

View Related Articles

To Learn More About Sterling Medical Devices

https://sterlingmedicaldevices.com/company/

FDA Cybersecurity Medical Devices Regulations

https://www.fda.gov/medical-devices/digital-health/cybersecurity

Medical Device Security Challenges

Behind lifesaving medical devices are Cyber Experts hard at work to secure and protect Patient Health Information (PHI). Check out this video on securing medical devices.

Cutting edge medical devices save lives! Not only do they save lives but they carry a vector of complicated communications and a unique set of security challenges. Cyber Security Expert Lee Neubecker, sits down with Sterling Medical Device’s top engineer, Keith Handler who develops cyber protection and security for their client’s medical devices.

Sterling Medical Devices helps companies design and develop mechanical & electronic medical devices and follows them through FDA approval. The conversation is educational and important to those interested in knowing how medical devices are cyber protected and secured. In this video, they outline the concerns that relate to the control, security, and confidentiality of the patient’s health information (PHI) when using these medical devices.

The transcript of Part 1 of our Series in Medical Device Security

Lee Neubecker: Hi, I have Kieth Handler here on my show from Sterling Medical Devices. Keith is a top engineer here that helps ensure cybersecurity and resilience and protection of medical devices of their clients. They help assist through the FDA certification process. Keith, thank you, thank you for being on my show.

Keith Handler: Thanks for having me, Lee.

LN: So can you tell me a little bit about what your firm does and how it helps clients in cybersphere?

KH: Yeah, sure. Sterling Medical Devices is a 13485 certified product development firm. We help various companies design and develop electro-mechanical medical devices. Pretty much from, anything from concept all the way to submission to the FDA.

LN: So, can you tell everyone what, ISO…?

KH: 13485?

LN: 13485 Certification means?

KH: Yes that is, that is the ISO standard that defines the product development and manufacture of medical devices. It defines all the processes that we generally run our business by.

LN: Okay, so what are some of the concerns that you have as it relates to the patient personalized information, sometimes known as PHI? Is that right?

KH: Yeah, patient help information, that’s correct. Well, you know, our first concern, of course, with any medical device is safe. We want to make sure that the devices are treating patients as intended and not presenting any undue harm to the patient or anybody else. The second thing is the Patient Help Information. It’s very important that we maintain confidentiality for all patients, in any of these systems. Diagnostics, their personal information, all need to be protected.

LN: These devices, they have PHI, they also have, they also are involved with the generation of electronic medical records, known as EMR, that feed into the various hospital systems that are used to provide and deliver healthcare to users. As it relates to this, what are some of the top concerns that you try to address as it pertains to safety for your clients?

KH: Well, when it comes to information or command and control that can be done remotely on a device, it’s again important to maintain the integrity of those communications, and to protect everything there. One of the hardest aspects, I would say, is integrating a medical device into a larger hospital system. We may have control over the confidentiality of the information, and of the commands that are sent and received within a device, but as soon as we connect to an external system we lose control of that data. So, it becomes a unique challenge to try and make sure we are protecting, and not only in our system but also in any system ours might integrate with.

LN: Yeah, and there’s such a myriad of ways devices connect, Bluetooth, wifi–

KH: Yes.

LN: I’m not sure if medical devices use infrared or–

KH: Yes.

LN: Near band communication, but there are all these vectors of communication that create new threats and potentials for compromise.

KH: And typically medical hardware is pretty cutting edge, you know, some of the things that they’re trying to treat now still can’t. So all of these things that you’re bringing up, all exist in medical, all need to be protected.

LN: Great, so in our next segment we’ll be talking a little bit more about the FDA, the certification process, and some of the standards that devices might undergo to help ensure adoption by the FDA, and to make them commercially viable to be sold in the United States. And then, in our third segment, we’ll talk more about protecting devices against cyber compromise, the firmware and software that gets embedded into these devices, and other things that should be done to help keep medical devices safe and secure. Thanks for being on the show today.

KH: Thanks again for having me, Lee.

Related Materials on Medical Malpractice

Forensic Imaging

See more about Sterling Medical Devices on their website.

https://sterlingmedicaldevices.com/

See other related websites for more information about Medical Device security.

FDA ISO Standards

https://www.iso.org/standards.html

FDA Medical Device Cybersecurity Guidelines

https://www.fda.gov/medical-devices/digital-health/cybersecurity