Home / Blog / Vulnerabilities can be cured too

Vulnerabilities can be cured too

Posted on 02/04/2016, by INCIBE
medical devices in computer sciences

Like other industrial sectors, the medical sector has evolved to include technologies within its environments. These technologies that sometimes seem too futuristic to become a reality, have gradually been incorporated into medicine with a view to improving certain healthcare services, such as in the use of computerised devices as a guide in operations that require great precision of movement, as well as endoscopic cameras, 3D printers for creating implants, etc.

To help patients with diseases that affect the functioning of certain parts of the body to lead a more comfortable life, devices have been implanted into different areas of the body, depending on the objective of each.

Medical devices

- Sample of medical devices -

The communication of these implants with the exterior is usually carried out through radiofrequency, thus facilitating the exchange of data with the healthcare technicians who control them or with handheld stations made available to patients, such that the latter can monitor the results of their actions with the implants when carrying out their daily tasks or other types of activities. In the field of veterinary medicine, the use of these types of devices for medical monitoring is very common.

We should highlight the possibility of the implants communicating with different protocols depending on the method of measurement. That is, communication carried out by devices used by technicians for reviewing the data stored may be different from the communication established with the different handheld stations that patients have (radio interference within the hospital is much more controlled than that which may originate outside it).

In this context, some of these new devices are able to communicate over radio frequency or over networks, which in particular circumstances allows remote access and the manipulation of certain settings. Despite the fact that the use of this remote access requires extensive knowledge of the technology involved, manufacturers devote a lot of attention to security against the possible malicious or fraudulent use of this access, and invest significant effort on improving the protection of all devices.

Communications over Radio Frequency

The use of radio frequency represents a certain problem for all patients who possess these devices; manufacturers and the medical professionals who implant the devices take this into account. Some particularly important points which are known and managed in ensuring the proper functioning of these types of device are:

  • Inadequate use of the devices and technology included in the latter, often due to a lack of explanations or manuals.
  • The loss or degradation of communication during data transmission, which can be caused by the interference of wireless signals or electromagnetic interference (EMI) either with the device itself or with its wireless transmissions.
  • The compromise of wireless communications due to the use of protocols which do not encrypt data exchange.
  • International availability of different allocated frequency bands, given that patients may be located in different geographic areas, or move from one to another.

A good tool for managing these risks is standard ISO 14971,which establishes the risk management requirements in order for the manufacturer to determine the security of a healthcare product throughout the product’s whole lifecycle.

Protecting communications

In a setting like healthcare, the importance of adequately protecting these devices' means of communication is easily deduced.

Key points in their protection are the use of encryption for wireless traffic and controlling access to data stored both on the device itself and on other devices with which it communicates and exchanges information. In summary, the protection of these devices comprises:

  • Protection against unauthorised access both to the control of and to the data stored on the device, including protocols which maintain the security of communications, preventing known protocol deficiencies.
  • Protection of the software itself to avoid unauthorised access and having a control for accessing the device.
  • Configuration of necessary services taking into account the opening of communication or management ports and default users.
  • Secure updates and maintenance of software to avoid the exploitation by third parties of possible discovered software vulnerabilities.

health sector attack

As should be expected, the medical sector is involved in the development of secure medical devices; its monitoring of the development and implementation of devices is ever growing, taking very much into account for whom these devices are intended.

Security in medical devices: Real cases

One of the first news items with respect to the manipulation of medical devices appeared in 2008 when researchers from different universities, all related to the world of medicine, studied the functioning of a pacemaker/cardioverter-defibrillator device. These researchers were able to reprogramme the functioning of the device and could deliver electric shocksat a power that would be fatal if these tests were carried out on a device of this type implanted in a person.

Moreover, they were capable of collecting personal data through listening to the radio signals that the device generates to allow doctors to monitor and adjust the parameters of the device without surgery.

In 2011, the security researcher Jay Radcliffe returned with more vulnerabilities in medical devices, more specifically, in pumps that supply insulin; precisely, his own pump. The vulnerability highlighted, once again, was related to the way in which the device communicated. Following analysis of the protocol used, it was shown that the communications had not been encrypted and they did not have sufficient levels of security to prevent them from being manipulated.

Other, more recent cases of highlighted cases of vulnerabilities in medical devices are available in the INCIBE ICS advisories section; here are some examples:

All of the above are related to models of pumps that intravenously supply drugs to patients.

Manufacturers work to prevent and react to these vulnerabilities by developing exhaustive processes for design, testing, communications use and possible uses of the device before it arrives in the body of its user.

There is no doubt that technology and research together are driving forward the field of medicine to improve our quality of life. Work in the field of medicine requires specific levels of security and quality processes in the same way as does critical infrastructure, with the special condition that, in the case of specific devices, lives are very much on the line.