Improving Medical Device Safety Through Contradictory Thinking
For decades, the design and development of medical devices has been based on a benevolent mindset: putting health technology in the hands of trusted clinicians and physicians with the sole purpose of improving diagnostic approaches and treatment, outcomes, and individual health and well-being. . However, the overall landscape has shifted from stand-alone, special-purpose devices to integrated, connected systems of systems. This is largely due to the growing number of innovative solutions that include cloud-based systems, mobile and wearable devices, Internet of Medical Things (IoMT), patient portals, and more. Our desire to build things to improve people’s lives coupled with growing consumer demand for technology will continue to accelerate technological progress in health care.
This proliferation of connected medical devices and systems integrated into networked ecosystems is forcing changes in the way software-intensive medical devices are designed and developed. What also needs to change is this benevolent mindset. Admittedly, the aspect of “good intentions” remains essential, however, today’s connected health landscape calls for the adoption of a more contradictory point of view. This fundamental shift in mindset requires expanding the definition of “users” of these connected medical devices not only to physicians and clinicians, but also to patients, biomedical engineers, device manufacturers, service personnel, and IT personnel. Additionally, the definition of “users” must now also include unintended users or “bad actors”. Bad actors range from adversaries (hackers/script kiddies, organized crime) to competitors and even hostile insiders (intended users) who seek to gain and exploit unauthorized access to medical technology and information for competitive gain. and financial or to cause harm to patients via cyber-physical effects.
Why now? Plea for a change of perspective
Connected medical devices deployed in medical/healthcare facilities often have trust relationships within the hospital infrastructure (i.e. HL7, DICOM, LDAP servers), providing broader exposure (i.e. i.e. potential attack surfaces) that can be exploited by an adversary to disrupt services and potentially cause harm. Medical devices containing wireless technologies such as Bluetooth and Wi-Fi offer further opportunities to exploit vulnerabilities (e.g. BlueBorne, Bluetooth impersonation attacks (BIAS), FragAttacks, etc.) from the waiting room, hospital parking lot, or anywhere wireless signals can reach. Operating an internally connected medical device can in turn provide unintended horizontal access to hospital infrastructure. This backdoor access to the network can lead to the creation of botnets behind hospital firewalls or the installation of ransomware, all of which can bypass the logging and intrusion detection that are normally applied to the firewall/router level.
Connected devices are increasingly being used to compromise security certificates, steal intellectual property and leak sensitive patient information. Data from Cisecurity.org indicates that there has been a 700% increase in COVID-themed phishing emails aimed at the healthcare sector and the public, and 12.6 million people (about the double the population of Arizona) were affected by 162 healthcare hacking incidents. entities within three months. According to a 2021 survey by Security Intelligence, 42% of 597 hospitals surveyed experienced at least two ransomware attacks. By a 2022 report, Unit 42 researchers analyzed more than 200,000 infusion pumps and found known security flaws in 75% of them. These types of vulnerabilities could allow hackers to alter the drug dosage of unsuspecting patients, or even deliver a lethal dose. Other devices like pacemakers are also susceptible to compromise and control by cybercriminals wishing to alter the way the device works.
Until now, our state of mind has been one of benevolence. We trust our suppliers and employees and take it for granted that our internal firewalled networks are secure. We believe we make few or no mistakes. We are confident that everyone will use the devices as labeled and that no abuse of the system is likely to occur. As the hacks and breaches just mentioned demonstrate, that trust is misplaced. We can no longer trust or believe that everyone will do the right thing.
Understand the adversarial mindset
To start dealing with this epidemic of threats, a new way to thinking on Medical device software development is essential to anticipate and mitigate how a device can be misused and/or compromised. We no longer just have to think in terms of “intended use”, but also start thinking like a potential aggressor. We call this new perspective contradictory thought.
Contradictory thinking involves understanding the attackers unconventional perspectives, reasoning and ways of working to identify which threats and vulnerabilities they might target to exploit and how. This type of thinking is not a new concept. It has been a core part of the Department of Defense (DoD) product development strategy for decades and influences how they approach the design, implementation and deployment of military assets and infrastructure. reviews.
Contradictory thinking is unnatural for most engineers. Good software engineering focuses on how to make things work well, be easy to use, and accessible, while adversarial mindset means thinking about how to circumvent or circumvent security measures, falsify the data and leave no trace. This shift in mindset requires thinking about where threats are originating within a hospital and beyond: expected medical staff, manufacturer operations and support staff, or supply chain and hospital staff. shipping, because anyone in the chain can introduce a weakness that a hacker can exploit. A chain is only as strong as its weakest link.
Incorporate adversarial thinking into your security risk management process
Typical of regulated markets, the application of analysis, especially adversarial thinking, is supported by FDA guidelines, industry standards, and structured processes. Capturing the results of this contradictory thought process is now part of the security risk management process. As medical device OEMs take an adversarial approach when developing software and combine this new “security mindset” with their security risk management process, they will improve the information security and cybersecurity of their products. ; and better protect health system infrastructure from being a launch point or target for cyberattacks.
Medical device manufacturers need to incorporate contradictory thinking into the implementation and execution of their security risk management process. This process should include the entire lifecycle of the device, from requirements and development to decommissioning and disposal. A comprehensive security risk management process should include threats from insiders, vendors, and competitors. In addition, assessed threats must include reasonably foreseeable misuse, which given the current cyber vulnerability landscape, must account for many new and emerging threats.
Step 1: Develop a Threat Model: Identify assets, threats and vulnerabilities
Examine the complete product life cycle, from supply chain, manufacturing, shipping, installation, maintenance, field service, to dismantling and destruction, to create a model of threatens. Identify the threats and vulnerabilities that apply to each asset. Analyze key data streams and identify potential asset exposure at every system interface.
Step 2: Perform an exploit and impact analysis
Using your threat model, think about what could happen to various assets at each of the lifecycle phases. What would happen if your medical device was disposed of at its end of useful life and someone removed the hard drive? What would be disclosed? Are your certificates compromised? Would your intellectual property be disclosed? Would user credentials or patient data be leaked? If your product includes consumables, could any of these items leak information to someone seeking a counterfeit? Could part of your consumable, such as an RFID tag, be recovered and reused in a counterfeit product to make it appear authentic? As you think through these scenarios, document each potential exploit and document the impact analysis.
Step 3: Identify and implement security risk controls
Using the exploits and impact analysis results, determine the appropriate security risk control measures needed to effectively control the identified risks. Then implement these risk controls in your product.
Step 4: Check security risk controls
Develop and execute a risk control audit strategy. The tests must prove that the risk controls are effective and complete.
Step 5: Write the security risk management report
Finally, write your report. The report should demonstrate the level of effectiveness of the risk controls and identify the residual risk.
A submission to the FDA will require objective evidence that your product has gone through the rigors of your safety risk management process. It will also require evidence that security risks leading to potential security risks have been identified and incorporated into your security risk management process. The artifacts of the risk management process are your objective evidence, and the reports are your opportunity to demonstrate that the processes were fully and effectively performed.
For a medical device that contains software, adversarial thinking, when combined with early security risk analysis and security-centric software lifecycle practices, can be an effective way to identify and control security risks from the start of the project. By designing for security from the start, you minimize the security exposure of your device and its software.