by
Gus Iversen, Editor in Chief | May 01, 2020
From the April 2020 issue of HealthCare Business News magazine
Usually it is a combination of these factors that causes the security issues to exacerbate and become difficult to manage.
HCB News: When we think of software patches, major capital equipment often comes to mind, but do security issues also exist with smaller medical devices?
SP: A great deal of capital equipment relies on widely used operating systems like Windows or Linux, which have software update capability built in, so the issues caused by lack of updatability are less prevalent in those systems. Whereas a lot of smaller medical devices either rely on custom RTOS (real time operating system) or have a proprietary embedded application running on them, which does not have built-in software updating capability. This has caused the majority of older, smaller medical devices to have vulnerabilities in them that remain unpatched.
On the other hand, a lot of these devices used to be non-networked. Hence the security attack vectors impacting large capital equipment didn’t affect those non-networked devices. In other words, they couldn’t be remotely attacked easily due to lack of connectivity, so large-scale attacks were practically impossible. But as more of these smaller devices get networked and have connectivity, it has become important to have software updating capability.
HCB News: How do smaller devices present unique challenges? Can you share an example?
SP: Smaller devices have different risk posture depending upon their use case scenario. Implantable devices, for example, can have a high risk profile but if they are not connected then the probability of an exploitable vulnerability diminishes. Furthermore, smaller devices face unique challenges in terms of technical capabilities to support security controls; lower processing power, lower memory availability and lower battery capacity.
An example where these issues come into play is cryptographic algorithms being used for encryption-decryption and authentication since these algorithms are mathematically expensive, hence, resulting in greater battery and processing power usage than some of the smaller devices could sustainably handle.
Another facet where the difference between large equipment and smaller devices is highlighted is their prevalent use case scenarios. Typically larger devices are used for diagnostics, whereas smaller devices like an insulin pump or a pacemaker, are used for delivering treatments. Hence, the impact of a security issue in larger devices may cause false diagnosis, whereas in smaller devices like a pacemaker it could severely harm the patient. So the cause and effect are delayed in large equipment versus immediate in smaller devices when it comes to exploitable security issues.
