Kim Singletary is Director of Technical Solution Marketing at McAfee. Singletary has more than15 years of experience ...
In reviewing the recent report from the United States Government Accountability Office August 2012 on Medical Devices, a few lessons jumped at me regarding the evolution of information security.
1) Information security is viewed as part art, part science, and part luck!
This is partially in reference to the medical device manufacturers and partially to the FDA. In the current ecosystem, manufacturers are under pressure to provide innovation. They are creating some genuinely life-altering technology, but they should be partnering with security leaders to participate in the design and development process. In this complex industry, it’s too costly to make mistakes, and even the FDA may not have a robust enough analysis and framework to catch the risks. Manufacturers submit to the FDA who vet, assess and report on the compliance of these devices, so any failure in the framework used can be perpetuated across all of the assessments. Manufacturers work to get approval to get to market, but as these devices get more complex, the assessment might not have evolved to consider key aspects like wireless communications that these devices now rely on.
2) Motivation can always change, and intentional threats should always be considered.
This is one area where the assumption was counter-intuitive to anyone actually working in the security industry. Bad code, bad actors and risk are everywhere, so the challenge is how to leverage technology in the context of its deployment with the appropriate controls, mitigations or best practices to take advantage of the technology. The fact that ‘intentional’ threats were never considered seems a bit absurd.
3) Some technologies are disposable, but others will live on and on. We need to determine how to deal with the inevitable need for patching and upgrades.
According to this report, the programming language used to create the software for the insulin pump has not been supported since 2008. Software today is the key ingredient in most complex medical devices. It is also what is driving the boom of medical apps, which is another area the FDA is considering regulation. Software enables the rapid growth of this industry, but it is also a possible threat vector and requires more care, maintenance and vigilance to ensure reasonable security.
Information security is a discipline that needs to have greater integration into healthcare devices, including the framework for their approval and ongoing analysis.