Noninvasive Postmarket Security Monitoring for Medical Devices

Software-based medical devices enable fast productdevelopment cycles, constructive information sharing, and configurable therapy delivery, resulting in better patient outcomes overall. An unfortunate drawback is that software is complicated and difficult to maintain correctly. Devices with inadequate software maintenance may pose operational risks to network security and patient safety and privacy. This paper describes a noninvasive approach to medical-device monitoring that can address some of the shortcomings of conventional approaches. Protecting software-based medical devices from malware infections or network-based mischief is a growing concern for clinical engineers and healthcare information technology (IT) practitioners. Unlike desktop PCs and laptops, medical devices often lack support for antivirus systems or operating-system patches, despite running off-the-shelf operating systems and commercial third-party software. Manufacturers have cited previous regulatory approval as a reason not to support software updates [1], despite the Food and Drug Administration’s clarifications to the contrary [2]. Medical devices are often in use for decades in clinical settings, during which time the software they are based on continues to change. For example, Microsoft Windows has undergone four major product revisions since the release of Windows XP in 2001, but new medical devices are shipped with Windows XP as recently as 2012 [3], and anecdotal evidence suggests many more are still in use [4]. Microsoft halted support for Windows XP in early 2014. Even when patches are available, administrators tend to emphasize functionality and efficacy over security and avoid applying patches [4] for fear of breaking systems or voiding warranties. Without adequate patching, the threat to connected devices increases with time as more vulnerabilities are discovered. Manufacturers have little incentive to retest devices once they are in the field [5], and testing is not guaranteed to catch vulnerabilities. While proactive manufacturers have been steadily improving their design and maintenance processes for new devices to prevent security holes and permit software patches, healthcare IT practitioners are often left with a mess they cannot effectively maintain. Third-party software also poses challenges for manufacturers and device owners. Devices often ship with commercial or open-source libraries that are maintained separately from a device’s main code, often by completely separate teams. Popular libraries that are easy to use become widespread if they add new capabilities to devices. For example, the OpenSSL library for encrypting communications, which is compatible with a range of systems from embedded to server-class, appears in at least 74 different kinds of devices, each with different update mechanisms. A 2014 Internet scan for a particularly high-impact vulnerability called Heartbleed found that 56% of vulnerable devices were embedded systems [6], which are typically more difficult to update than PCs or servers. Modern applications bring together tens of libraries that must all be considered separate sources of potential security problems.