Medical device security: A new look at open source software
By Derek Weeks
4 minute read time
We all do it. When we sense something wrong with our health, we often go to the internet, plug in our symptoms and try to diagnose the issue.
In our ever-connected world, we are not the only ones using the internet. In order to improve the effectiveness and safety of our healthcare system, hospital infrastructure, medical devices, and doctors are also connected to the internet. The smarter our healthcare systems are, the better quality of care we’ll receive.
Then there is this:
- In early 2016, Hollywood Presbyterian Hospital was hit with a ransomware attack stemming from a known vulnerability in open source software software components used in some of its applications.
- In March 2016, researchers discovered "715 known security vulnerabilities in automated supply cabinets used to dispense medical supplies" having a severity rating of high or critical.
- Last fall, Johnson & Johnson warned consumers of security flaws found inside the software supporting their insulin pumps.
- In January, the FDA and DHS issued an advisory warning of security vulnerabilities found in St. Jude Medical's Merlin@home unit that could affect the company's implantable cardiac devices (ICDs).
- Last month, 8000 known security vulnerabilities were found in open source libraries used to build the software supporting four well-known pacemaker programming machines.
Fit, healthy, and secure
In order to keep us healthy and ensure proper care, our connected healthcare systems also need to be secure.
An effort to keep our healthcare system and medical devices secure is being spearheaded by the Healthcare Industry Cybersecurity Task Force. Last week, the task force released a comprehensive report stating "the healthcare system cannot deliver effective and safe care without deeper digital connectivity. If the healthcare system is connected, but insecure, this connectivity could betray patient safety, subjecting them to unnecessary risk and forcing them to pay unaffordable personal costs. Our nation must find a way to prevent our patients from being forced to choose between connectivity and security."
The task force identified six high-level imperatives to guide recommendations and actions for the healthcare community addressing leadership, the workforce, information sharing, and software application analysis.
Software bill of materials
Among the recommendations from the task force was the call to improve transparency with regard to open source software components being used in medical devices:
"Improve manufacturing and development transparency among developers and users. In order to track medical device vulnerabilities, there is a need for transparency regarding third party software components. Having a "bill of materials" is key for organizations to manage their assets because they must first understand what they have on their systems before determining whether these technologies are impacted by a given threat or vulnerability. Moreover, this transparency enables healthcare providers to assess the risk of medical devices on their networks, confirm components are assessed against the same cybersecurity baseline requirements as the medical device, and implement mitigation strategies when patches are not available."
The recommendation ends by stating, "To date, this practice has not been widely adopted."
While cybersecurity practices across the medical device industry need to be improved, the technology to support them has been accessible for years. For any medical device makers looking to create a "software bill of materials," Sonatype offers this analysis as a free service. The creation of a bill of materials is simple; the end-to-end lapse time to analyze an average sized application is between 10 - 15 seconds.
Written by Derek Weeks
Derek serves as vice president and DevOps advocate at Sonatype and is the co-founder of All Day DevOps -- an online community of 65,000 IT professionals.
Explore All Posts by Derek Weeks