Designing Medical Devices to Meet FDA Security Guidelines
The FDA and Department of Homeland Security recently issued an alert urging medical device makers and medical facilities to upgrade security protections to protect against potential cyber threats. This was issued in response to an ICS-CERT (Industrial Control Systems Cyber Emergency Response Team) publication of a list with more than 300 devices using hard coded passwords, allowing hackers to easily gain control of the devices and making it impossible to update the passwords to block future attacks.
The FDA has also issued guidance for OEMs building medical devices. A few of the capabilities recommended in the FDA guidelines include:
- Restricting unauthorized access to medical devices
- Making certain firewalls are up-to-date
- Monitoring network activity for unauthorized use
- Disabling all unnecessary ports and services
Medical devices are specialized products and need a security solution meeting the FDA guidelines. Security solutions used in standard PC environments are a poor fit for medical devices and in many cases won’t even run.
Security Requirements for Medical Devices
A security solution for medical devices must provide the ability to control communications, detect and report attacks or suspicious traffic patterns, and allow centralized control of security policies. These capabilities would provide medical devices with a much higher level of security than password only security and thereby protect them from the majority of cyber-attacks.
The security solution must provide:
- Control of the packets processed by the device
- Protection from hackers and cyber-attacks which may be launched from the Internet, inside the corporate network, or via WiFi networks
- Protection from DoS (Denial of Service) attacks and packet floods
- Ability to detect and report traffic abnormalities, probes, or attacks.
- Ability to manage and control changes to filtering policies
These capabilities enable the device to meet the FDA security guidelines.
|FDA Security Guidelines||Device Capability to meet FDA guidelines|
Integrating Security into the Device
Many facilities and campuses have a corporate firewall designed to protect the internal systems from attack. However, the corporate firewall can be breached or bypassed. Building protection into the device itself provides another security layer - the devices are no longer depending on the corporate firewall as their sole layer of security
For new devices, enhanced security can be built into the device itself. This is the same approach taken with PCs today. While a PC may sit behind a firewall on a home or corporate network, it also has a built in firewall and other security software.
An integrated firewall provides a basic, but critical level of security for a networked device by controlling which packets are processed by the device. The embedded firewall resides on the device and is integrated into the communication stack of the device. The communication requirements of the device are encoded into a set of policies defining allowable communication. The firewall enforces these polices, limiting communication to the required IP address, ports and protocols specified in the policies.
Since each packet or message received by the device is filtered by the firewall before being passed from the protocol stack to the application, many attacks are blocked before a connection is even established, thereby providing a simple, yet effective layer of protection missing from most devices.
Blocking Attacks with a Firewall
In a system without a firewall, a hacker may attempt to remotely access the device using default passwords, dictionary attacks or stolen passwords. Such attacks are often automated, allowing a huge number of attempts to break the system’s password. However, by protecting the system with an embedded firewall configured with a whitelist of trusted hosts, the firewall can effectively block such attacks. The firewall blocks packets from the hacker before they are passed to the application to attempt to login.
Rules-based filtering provides a simple and effective tool to enforce communication policies, blocking communication from a non-trusted IP address, and isolating the device from attack.
Building a firewall into a medical device provides a foundation for securing the device. Once deployed, it is critical to be able to manage the security policies on the device and for the device to report invalid access attempts and other security threats. This is achieved by providing integration with enterprise security management systems. The firewall should include a management agent that enables:
- Integration with enterprise security management systems
- Configuration of filtering policies
- Reporting of invalid login attempts and other security incidents
Integration with the security management system allows network management personnel to be notified of security issues, allowing mitigation and preventing issues from proliferating throughout the network. This type of security management is standard policy for PCs and servers. Medical devices are no different - they need to support built-in security and integrate with existing security management systems.
Many of today’s modern medical devices and systems are complex connected computers charged with performing critical functions. Firewalls provide the cornerstone of security both for PCs and for home or corporate networks. Including a firewall in new medical devices themselves provides a simple and effective layer of security. These firewalls provide protection even if the corporate firewall and security is breached. A small embedded firewall, such as Floodgate from Icon Labs, can be used to protect devices from a wide range of cyber-attacks. By controlling who the device talks to, most attacks can be blocked before a connection is even established.