A collection of research scientists, with help from the IEEE Cybersecurity Initiative, have released a new set of guidelines for developers to take into account to ensure security figures into how medical devices are coded.
The paper, “Building Code for Medical Device Software Security,” (.PDF) was released Monday and authored by Dr. Tom Haigh, a researcher at Adventium Labs and Carl Landwehr, a lead research scientist at George Washington University. The researchers liken their set of guidelines to building codes. Much like how building codes help structures withstand weather and fire, if implemented correctly, the researchers hope their codes help software stand up to the demands of its environment, including attacks that may leak data, or impede or alter a device’s function.
The manifesto, which focuses more on implementation than design, breaks medical device security down into 10 categories.
The first and perhaps simplest precaution IEEE is encouraging developers to take is to use memory safe languages and secure coding standards. Safer practices, even at the lowest level, can prevent memory access errors, implementation errors and exploitable language constructs that can go on to plague code, researchers warn.
As should be expected the group also advocates for developers to use carefully vetted cryptography and seek algorithms that have received open certification. When generating random numbers, they should be used correctly and not be reused.
Only as a “last resort,” the report claims, should developers implement their own crypto algorithms, and that’s after they’ve subjected them to expert review prior to adoption and implementation.
“Mistakes can nullify even well-designed cryptographic mechanisms,” the researchers point out.
Additional guidelines listed in the document encourage developers to use digitally signed firmware, whitelists, and software that logs security events in their medical devices, among other recommendations.
A group of 40 experts from varying fields, including medical device researchers, cybersecurity researchers, software engineers, and regulators, hammered out the guidelines over the course of two days in New Orleans last November. The workshop was funded by both the IEEE and the National Science Foundation’s Secure and Trustworthy Cyberspace program.
The experts stress that their recommendations should merely serve as a starting point for developers looking to craft secure medical device code.
“It is of course impossible to develop a complete code in a two-day workshop,” Landwehr writes, “The intent of this initial code is to provide a basis that developers can use to rule out the most commonly exploited classes of software vulnerabilities.”
“There is more work to do, so we encourage the industry to participate in our effort to create a foundation for a more complete code for the medical device industry to apply,” Landwehr said, adding that additional codes could be created for the research around design and test phases of medical devices..
Attackers have had a field day with medical devices over the last several years.
Earlier this month Jeremy Richards, a researcher with the SAINT Corporation, fiddled around with drug pumps manufactured by the medical device firm Hospira. With very little work, Richards was able to rig the pumps to run commands that opened it up to attack and ultimately bricked the devices.
It’s been almost two years since the FDA urged medical device manufacturers to take security more seriously and roughly four years since Barnaby Jack, considered by many as a pioneer of sorts in the field of medical device security, publicized his research about how pacemakers and insulin pumps can be hacked.
