From pacemakers being hacked live on stage at the world’s top security conferences to attention-grabbing headlines in newspapers, the public perception of medical device security is not good.

But according to Dan Lyon, principal consultant at Synopsys, the situation is far more nuanced.

“What the media sends out there is that vulnerabilities are everywhere, when for the most part you could say that mostly they're fine. But you just don't want to be one of the things that isn't, even if it's a small percentage,” he says.

Nevertheless, with an industry that is adding connectivity to long-established products, there are still issues.

“Most connected devices are immature in terms of they're succeeding at doing things where there are huge benefits for connectivity, but not necessarily understanding the attack surface they've created.”

Security’s place in the evolution of medical devices

With such an important focus, medical devices have an extremely high level of quality. However, most experts in the field have been involved in their development long before they offered connectivity, making security a new challenge that many are still working to embrace.

“It's very different from going into a financial institution where everyone is 25. And there's a whole new security culture that has to be adopted,” says Lyon.

“I don't want to say old dog, new tricks, but that's kind of the world that exists for medical devices. And so there's a lot of problems.”

“I don't want to say old dog, new tricks, but that's kind of the world that exists for medical devices.”

This has also been Lyon’s own experience.

“I used to be an embedded developer, so I lived in the introverted world of non-connectivity,” he explains. “And our concerns about security were almost non-existent, [but] quality was very, very high.”

Defensics: testing medical devices to destruction

Now connectivity is becoming the norm for the medical device industry, it’s up to companies like Synopsys to ensure security is effectively handled. However, with many devices it is not a matter of developing security for new products, but adding it to existing devices.

“We talk about threat modelling, attack surface, getting our security right from the beginning. But the reality is most people are working with legacy things, legacy applications, legacy devices, that they are moving into the connected world,” says Lyon.

“Some things are being designed from scratch, which is great, those are much better.”

“The reality is most people are working with legacy applications, legacy devices, that they are moving into the connected world.”

For new products, the ideal approach is to build security in from the start, but for legacy products it is a matter of testing devices to destruction to see where the vulnerabilities lie.

“We have something called defensics, which is designed to attack the fully assembled hardware or software device, and that's what we use a lot on medical devices that are already in deployment to try and see if we can essentially destroy them,” he says.

Defensics isn’t just used in medical devices, but across the spectrum of connected devices.

“Any IoT company, they'll bring us a product and say: 'OK, what can we do with that?' And it doesn't take long before we can break it. It seems it's a very confident demo, with defensics.”

Education: the key to future security

While there are issues, it is important to remember that medical devices are significantly more secure than the average consumer device. However, if the industry is to improve, says Lyon, more education is needed, and not just for developers.

“Developers, for the most part, are learning faster than the people who are managing them and the people who are paying the people who are managing them; people who are creating the incentives all the way down the chain,” says Lyon.

“And so there needs to be an education piece perhaps starting with developers so that it feeds up – so that when they become managers they already understand that quality in security is something we have to be taking seriously, and not just hoping some connectivity onto an existing scenario makes this happen.

“I think education is absolutely critical.”

Share this article