Vous êtes sur la page 1sur 17


Jason Healey, Neal Pollard, and
Beau Woods

Atlantic Council
BRENT SCOWCROFT CENTER in partnership with
2015 The Atlantic Council of the United States. All rights reserved. No part of this publication may be reproduced or
transmitted in any form or by any means without permission in writing from the Atlantic Council, except in the case of brief
quotations in news articles, critical articles, or reviews. Please direct inquiries to:

Atlantic Council
1030 15th Street, NW, 12th Floor
Washington, DC 20005

ISBN: 978-1-61977-981-5
Publication design: Krystal Ferguson; Photo courtesy of Intel Security.

This report is written and published in accordance with the Atlantic Council Policy on Intellectual Independence. The authors
are solely responsible for its analysis and recommendations. The Atlantic Council and its funders do not determine, nor do they
necessarily endorse or advocate for, any of this reports conclusions.

March 2015

Executive Summary......................................................................................................................................... 7

The Promise of a New Age of Medical Technology.............................................................................9

The Risk Landscape....................................................................................................................................... 10

Sources of Risk in Networked Medical Devices...................................................................................13

Recommendations for Better Safety, Security, and

Effectiveness in Networked Medical Devices....................................................................................... 14

1. Build Security into Devices from the Outset, Rather than as an Afterthought............... 16

2. Improve Private-Private and Public-Private Collaboration .....................................................17

3. Evolutionary Change of the Regulatory Approval Paradigm for Medical Devices........ 18

4. Independent Voice for the Public in Cybersecurity Discussions.......................................... 18

Conclusion......................................................................................................................................................... 19


The Internet of Things (IoT) of digital,

networked technology is quickly moving to the This is the second report in a series by the
forefront of society, the global economy, and Atlantic Council in partnership with Intel Security
the human experience. to examine the rewards and risks of key
emerging technologies and the importance of
The IoT sometimes refers to colossal, getting security right in order to unlock
impersonal concepts like connecting electricity technologies true potential.
grids to the Internet for economic or
environmental considerations. But the IoT can The first paper in the series, Online Voting:
be intensely personal as well. In the world of Rewards and Risks, assessed the amazing
healthcare, software engineers are weaving possibilities that online voting and e-voting could
networked medical devices into the fabric of the unlock for participatory democracies, while
IoT. These devices, which can be worn or even analyzing equally difficult obstacles to ensuring
implanted inside the body, are used to their security.
medicate, treat diseases, and maintain general
health and wellness. For this paper, the Atlantic Councils Cyber
Statecraft Initiative convened a roundtable of
This report, a collaboration between Intel specialists from government, academia, think
Security and Atlantic Councils Cyber Statecraft tanks, and the security and medical industries,
Initiative at the Brent Scowcroft Center on to develop some guideposts on sustaining trust,
International Security, explores security risks innovation, and effectiveness in the world of
and opportunities that networked medical networked medical devices.
devices offer to society. It also provides
recommendations for industry, regulators, and
medical professionals to maximize value to
The analysis in this report draws attention to the
patients while minimizing security risks arising
delicate balance between the promise of a new
from software, firmware, and communication
age of technology and societys ability to secure
technology across these devices.
the technological and communications
Individuals wear networked devices to learn foundations of these innovative devices.
more about themselves, their diet, their exercise
The rewards of networked healthcare come
regimen, and their vital signs. Doctors can
with four main overlapping areas of concern,
adjust and optimize implanted medical devices,
including accidental failures that erode trust.
such as pacemakers, quickly and accurately
Should any high-profile failures take place,
and often with no need for intrusive medical
societies could easily turn their backs on
procedures. In hospitals, new devices network
networked medical devices, delaying their
to provide more effective and less expensive
deployment for years or decades. Protecting
monitoring and treatments. According to one
patient privacy and sensitive health data is a
estimate, these technologies could save $63
second immediate concern, as malicious online
billion in healthcare costs over the next fifteen
hackers consider healthcare information
years, with a 15-30 percent reduction in hospital
especially valuable. A case in point: the number
equipment costs.1
of information security breaches reported by
healthcare providers soared 60 percent from
2013 to 2014almost double the increase seen
1 Peter C. Evans and Marco Annunziata, Industrial Internet, Pushing in other industriesaccording to
the Boundary of Mind and Machines (GE, November 26, 2012),

AT L A N T I C C O U N C I L 7

PricewaterhouseCoopers (PwC) Global State of The report recommends continued

Information Security Survey 2015. 2 improvements to private-private and public-
private collaboration. More coordination, not
Intentional disruption is also a concern because more regulation, is warranted. Regulators do
networked medical devices face not always keep pace with technological
the same technological vulnerabilities as any progress. They should have feedback from a full
other networked technology. Hacktivists, set of stakeholders through transparent
thieves, spies, and even terrorists seek to collaborative forums that assure the regulators
exploit vulnerabilities in information independent functioning without creating
technologies (IT) to commit crimes and cause concerns of collusion with industry. Likewise,
havoc. However, when a networked device is industry officials should continue to improve
literally plugged into a person, the communication among themselves.
consequences of cybercrime committed via
that device might be particularly personal The ultimate aim of enhanced cooperation is to
and threatening. change the current approach to the security
elements of these devices. Security
Even more dangerous than the potential for considerations, along with the devices ability to
targeted killings, though also far less likely, improve patients lives, must become an integral
is the threat of widespread disruption. part of the process of conceiving and
Theoretically, a piece of targeted malware could manufacturing these devices.
spread across the Internet, affecting everyone
with a vulnerable device. Such a scenario has The report also recommends an evolutionary
materialized in business IT and industrial control change to the regulatory approval paradigm for
systems; the sophisticated Stuxnet attack medical devices in order to encourage
against Irans nuclear program innovation while meeting regulatory policy
is one example of this. goals and protecting the public interest.

The current focus in medical device Some medical device makers continue to push
development and production is on old technologies and resist innovation because
manufacturers preferences and patients needs. they know regulators will approve the old
Industry and government should also focus on technology. A more streamlined regulatory
implementing an overarching set of security approval process could remedy this problem.
standards or best practices for networked An improved process should encourage security
devices to address underlying risks. by design, as well as the ability to patch systems
after they are deployed.
Several recommendations will help foster
innovation while minimizing security risks. This Lastly, this report recommends an independent
report makes the case that industry must build voice for the public, especially patients and their
security into devices from the outset, rather families, to strike a better balance between
than as an afterthought. As McAfees then-CTO effectiveness, usability, and security when
Stuart McClure testified before the US House devices are implemented and operated.
Committee on Homeland Security in 2012,
Cybersecurity has to be baked into the
equipment, systems and networks at the very
start of the design process.3

2 Peter Harries, The Prognosis for Healthcare Payers and

Providers: Rising Cybersecurity Risks and Costs,
PricewaterhouseCoopers, December 17, 2014, http://usblogs.pwc.
3 Stuart McClure, statement delivered to the United States House of
Representatives Committee on Homeland Security Subcommittee
on Oversight, Investigations, and Management, April 24, 2012,

8 AT L A N T I C C O U N C I L



THE PROMISE OF A NEW AGE OF According to one study on remote care

MEDICAL TECHNOLOGY management, the online monitoring of patients
The medical industry is evolving rapidly. Not blood pressure, body weight, and oxygen
only do more kinds of devices exist today, but saturation led to a 64 percent drop in hospital
they are increasingly interconnected. Almost readmissions. Regular videoconferencing
half (48 percent) of healthcare providers checkups meant patients and their nurses were
polled in a PricewaterhouseCoopers survey said able to recognize any red flags and help
they have integrated consumer technologies address health problems before they became
such as wearable health-monitoring devices serious enough to require re-hospitalization.2
or operational technologies like automated At the same time, wearable devices individualize
pharmacy-dispensing systems with their medicine by empowering patients to meet their
IT ecosystems.1 own goals for health and quality of life.
Though the underlying technology in many of Health-monitoring products provide real-time
these devices overlaps, as graphic 1 shows, the feedback about nutrition, fitness, pulse, blood
devices generally fall into four main groups: pressure, and other vital signs. In fact, according
consumer products for health monitoring; to an eight-nation survey sponsored by Intel,
wearable external medical devices; internally more than half of respondents would trust a test
embedded medical devices; and stationary, but they personally administered as much as, or
networked, medical devices. more than, one performed by a doctor. 3 For
These technologies hold the key to unlocking better health, patients seem willing to embrace
both individual and society-wide benefits in networked medical technology. More than 70
three ways: they can improve outcomes and percent of survey respondents were open to
quality of life, empower patients, and cut using toilet sensors, prescription bottle
skyrocketing healthcare costs. sensors, or swallowed [health] monitors.4

Across the board, these powerful and Though the direct costs associated with the
customizable medical technologies offer the development, testing, and production of
patient improved outcomes and quality of life. medical devices are high, they hold the promise
Medical staff, or even the users themselves, can of helping to cut skyrocketing medical costs. It
monitor their health more responsively, receive is hard not to be beguiled by the promise of
feedback and alerts more quickly, make easier health monitoring and self-treatment
adjustments less intrusively, and deliver benefits
more precisely. 2 Intel, The Internet of Things and Healthcare Policy Principles,
1 Michael Compton and Kevin Mickelberg, Connecting 3 Intel Newsroom, The World Agrees: Technology Inspires
Cybersecurity with the Internet of Things, Optimism for Healthcare, December 9, 2013, http://newsroom.
PricewaterhouseCoopers, October 15, 2014, http://usblogs.pwc. intel.com/community/intel_newsroom/blog/2013/12/09/
com/cybersecurity/connecting-cybersecurity-with-the-internet- the-world-agrees-technology-inspires-optimism-for-healthcare.
of-things/. 4 Ibid.

Jason Healey is the Director of the Atlantic Councils Cyber Statecraft Initiative at the Brent Scowcroft Center on
International Security. Neal Pollard is a Director at PricewaterhouseCoopers and Senior Fellow at the Cyber Statecraft
Initiative. Beau Woods is the CEO of Stratigos Security.

AT L A N T I C C O U N C I L 9

GRAPHIC 1. Networked Medical Devices

using devices like insulin pumps, which security gaps in the integration of operational
provide cheaper alternatives to an overtaxed technology (e.g., medical devices), consumer
medical system. If used as tools of preventive technology (e.g., smartphones), and networked
medicine, they can also decrease the rate information technology (e.g., hospital networks).
of hospitalization.
Malicious actors could soon have the same hold
The US National Institute of Standards and here as they do elsewhere so that we could
Technology, quoting one estimate by General soon see a booming market in medical zero-day
Electric, says deploying cyber-physical systems exploits, a security hole known to the attackers
could save $63 billion in healthcare costs over and for which there is no defense. This is what
fifteen years, with a 15-30 percent reduction in the future will look like if security officials and
hospital equipment costs and a 15-20 percent healthcare organizations do not take the correct
increase in patient throughput. 5 steps today.

Networked medical devices raise four main

THE RISK LANDSCAPE and overlapping areas of concern: accidental
Societys ability and desire to exploit networked failures, privacy violations, intentional
technologies has always outpaced its ability to disruption, and widespread disruption.
secure the underlying technology. Networked
medical devices are no different with exposed The first concern is accidental failures, which
erode trust and could stop these promising
5 Peter C. Evans and Marco Annunziata, Industrial Internet, Pushing technologies in their tracks. Even a single
the Boundary of Mind and Machines (GE, November 26, 2012), negative incident, repeated endlessly in the

10 AT L A N T I C C O U N C I L

media, might stop an entire class of promising Since the IoT is still in its infancy, no one yet
technologies from ever becoming a reality. knows all the ways this information can be used
for malicious purposes. For example, one could
Networked medical devices are vulnerable to imagine how many unethical gamblers would
more than just criminal intent. Like any other want access to key athletes medical or health
technology, they are prone to failure. The data before or during sporting events. What if
complexity of connecting IT to consumer or extortionists took over devices or medical
operational technology which controls physical equipment until the patient or hospital paid a
processes, such as pumps, creates exponential hefty ransom? Who knows what other examples
opportunities for flaws in design, we cant yet imagine?
implementation, or operation, any of which can
lead to accidental failure. This is as true for Given the potentially fatal consequences of a
pacemakers as it is for point-of-sale terminals medical device malfunctioning, theres little
and toastersyet given the potentially fatal room for failure when it comes to these devices
consequences of a medical device compared to other networked devices.
malfunctioning, theres little room for failure
when it comes to these devices compared to Intentional disruption is also a concern,
other networked technologies. Should any because networked medical devices face the
high-profile failures take place, societies could same technological vulnerabilities as any other
easily turn their backs on networked medical networked technology.
devices, delaying their deployment for years
Hacktivists, thieves, spies, extortionists, and
or decades.
even terrorists seek to exploit vulnerabilities in
A second immediate concern is protecting IT to commit crimes and cause havoc. However,
patient privacy and the sensitive health data when a networked device is literally plugged
inside these devices. into someone, the consequences of cybercrime
committed using that device might be
Vulnerabilities in a networked medical device particularly personal and threatening. Both
pose obvious privacy risks, since these devices Hollywood and the real world offer scenarios
access patients most personal biological data. showing the potentially lethal consequences
The devices wireless networking function is of terrorists or madmen hacking into
central to their effectiveness, though as with pacemakers or insulin pumps. 8 A James Bond
any wireless network, users and technicians movie featuring such attacks surely cannot
must ensure that they dont transmit be far behind.
unencrypted personal data across open
networks. Additionally, if these devices interface The US Department of Homeland Security
with medical billing records, then patients risk (DHS) is investigating two dozen cases of
losing both medical and financial information. suspected cybersecurity flaws in medical
devices that criminals could exploit, such as
According to the Identity Theft Resource forcing an insulin pump to overdose a patient,
Center, 44 percent of all registered data or instructing a heart implant to deliver a
breaches in 2013 targeted medical companies.6 deadly jolt of electricity.9
Furthermore, the number of information
security breaches reported by healthcare Even though almost half of respondents polled
providers soared by 60 percent from 2013 by PwC had integrated medical devices into
to 2014more than double the increase seen their enterprise IT, they had not been as quick in
in other industrieswith financial losses up
by a stunning 282 percent, according to 8 See for example Homeland episode no. 10, Heartbroken, which
PwCs Global State of Information Security originally aired on Showtime on December 2, 2012, and Daniel
Survey 2015.7 Halperin et al., Pacemakers and Implantable Cardiac
Defibrillators: Software Radio Attacks and Zero-Power Defenses,
IEEE, 2008, http://www.secure-medicine.org/public/
6 Meg Whitman, 10 Big Tech Trends in Healthcare, HP Matter, publications/icd-study.pdf.
January 7, 2015, https://www.linkedin.com/pulse/10-big-tech- 9 Jim Finkle, U.S. Government Probes Medical Devices for Possible
trends-healthcare-meg-whitman. Cyber Flaws, Reuters, October 22, 2014, http://www.reuters.
7 PricewaterhouseCoopers, PwC Global State of Information com/article/2014/10/22/us-cybersecurity-medicaldevices-
Security Survey 2015, September 30, 2014, http://www.pwc. insight-idUSKCN0IB0DQ20141022?utm_
com/gx/en/consulting-services/information-security-survey/ content=buffer9c60e&utm_medium=social&utm_source=twitter.
download.jhtml. com&utm_campaign=buffer.

AT L A N T I C C O U N C I L 11

ensuring the security of these connected and industrial control systems, like the
devices. More than one-third (37 percent) said sophisticated Stuxnet virus which targeted
they had contacted device manufacturers to Irans nuclear program.
learn more about the equipments security
capabilities and risks, and only 59 percent had
performed even a rudimentary risk assessment
of the devices or technologies. Only 56 percent BOX 1. REWARDS AND RISKS IN
had implemented security controls, CONTEXT: BIOINSTRUMENTATION
demonstrating a lack of foresight that can have
real consequences.10 Great Lakes NeuroTechnologies, a company
based in Cleveland, Ohio, developed
Two prominent security researchers, Jay bioinstrumentation products to better
Radcliffe and Barnaby Jack, have exposed flaws measure health. One set of these products
in insulin pumps, which are one of the more tracks how symptoms change in response to
widely deployed networked medical devices. In treatment for patients with Parkinsons
2011, Radcliffe discovered that access to an disease through physiological monitors and
insulin pumps serial number would allow him to patient-centered diagnostic and therapy
remotely communicate with the device from up systems integrated with wireless, remote, and
to one hundred and fifty feet away. As these web-based applications, according to the
devices have little to no security, he could turn company.
off the pump or cause an insulin overdose with
just $20 worth of equipment. Jack soon Of course, these Internet-enabled devices
improved upon Radcliffes hack by finding a are at risk of an attack, but the results
way to compromise an insulin pump even demonstrate the upsides of improved
without the serial number, and expanding the outcomes at reduced cost:
range to three hundred feet. This would let a
Clinicians use the real-time data collected
hacker scan for any nearby devices instead
by IoT-enabled devices to help optimize
of having to target a specific device identified
their patients treatment and observe their
in advance.
response to treatment.
As dramatic as these risks are, scant evidence
exists that criminals or terrorists are motivated Pharmaceutical companies working
or able to exploit them. In the report referenced on developing new therapies...use the
earlier, DHS acknowledged it is not aware of any information gathered through [these
criminals or terrorists trying to exploit the networked] devices to aggregate patient
vulnerabilities the department is investigating. data from multiple locations around the
This should not, however, be reassuring. That world for clinical studies.
these attack tools have not been widespread
The Internet of Things also helps
could just mean they have not yet appeared
Parkinsons patients get affordable access
in the black market for sale. They almost
to quality care via telemedicine.
certainly will.
Source: Jasper, Great Lakes NeuroTechnologies Turns to
Even more dangerous than the potential for Jasper to Automate Telemedicine for Parkinsons Disease
targeted killingsthough also far less likely IoT Enables Connectivity for Remote Sensing to Optimize
is the threat of widespread disruption. Patient Treatment, https://www.jasper.com/sites/default/
Theoretically, a piece of targeted malware could pdf.
spread across the Internet, and only take action
when it confirmed it was in a medical device.
Such malware could affect everyone with a
vulnerable device. This far-fetched but possible
scenario has materialized in business IT systems

10 Michael Compton and Kevin Mickelberg, Connecting

Cybersecurity with the Internet of Things,
PricewaterhouseCoopers, October 15, 2014, http://usblogs.pwc.

12 AT L A N T I C C O U N C I L

manufacturers tend to assemble a grab-bag

BOX 2. REWARDS AND RISKS IN of technologies, depending on the size of

Insulin pumps, among the most widely Large devices are typically more standardized,
embedded devices, illustrate the balance with commodity off-the-shelf hardware and
between the benefits and risks of networked software components not much different
medical devices. Convenient and effective, from what might be on the doctors desk.
they undoubtedly improve peoples lives. An MRI, for instance, might run a UNIX
One user, Melissa Ford, explains: subsystem on the device, with a Windows
front-end for controlling and viewing images.
My insulin pump allows me to be a person Smaller devices tend to be more specialized.
with diabetes, not an autoimmune disorder For example, since a pacemaker needs an
with a pet human. For 7 years now, an extremely long battery life and a low-
insulin pump has given me the freedom to consumption processor, it would more likely
do the things I couldnt have done as use a custom operating environment.
confidently on injections. I eat just about
whatever I want, when I am hungry; I drink The communication technology may be more
alcohol in moderation; I travel at will; and I standard than other components of the device.
exercise to good effect. I can spend long A bedside infusion pump might link to the
hours in the library or at the pub. Reduced hospitals WiFi and connect to a system at the
diabetes-related frustration and depression nurses station, which in turn is linked over the
freed me to discuss things other than my local network to the hospitals medical records
blood sugarscampus events I had system. A pacemaker is more likely to use a
attended, what I was learning in my shorter-range technology such as Bluetooth,
classes, and fun with friends.11 the same technology that connects a mobile
phone to a wireless earpiece or a tablet to a
wireless keyboard.

Connectivity is powered by network systems,

SOURCES OF RISK IN NETWORKED through which speedy electronic data transfers
MEDICAL DEVICES occur. The Internet, the worlds most iconic
The software and firmware underlying network, consists of a multitude of other
networked medical devices have evolved in networks that differ in many aspects including
much the same way as other technologies: as an size, topology, and access technology, bringing
uneven and inconsistent mix of different extreme complexity to the system. Known as
versions, standards, and approaches to the perimeter of a connected system, a network
implementation. The developments were driven is subject to specific risks that network
by manufacturers preferences and patients specialists address with constantly evolving
needs, as opposed to an overarching set of security solutions.
security standards or best practices.12
Whereas a local health network with sharply
No one standard operating environment, defined boundaries might seem watertight, the
architecture, communications method, or very fact of being connected to the Internet via
networking backend exists as a widely accepted e-mail, or to a supplier via a private network,
standard for any class of networked medical exposes the ecosystem to network-based risks.
devices. Where mobile phones or tablets Simply blocking traffic or shutting down ports
operate on a relatively small set of standard affords insufficient protection and are
technologies (Android or Apple, WiFi only or counterproductive mechanisms, which merely
WiFi and 3G or 4G), medical device serve to hinder access to information or
interrupt service delivery. For networked
11 Melissa Ford, No, Its Not a Beeper, Its My Insulin Pump: devices to run smoothly, the networks that
Reflections on the Use of Continuous Subcutaneous Insulin support them require full-time management
Infusion Pump Therapy, Medscape, http://www.medscape.com/ with the capacity to inspect traffic, apply
viewarticle/458714. appropriate security policies, and exercise a
12 For a case study of this process going horribly wrong, read Nancy birds eye view on activity across the hybrid
Levesons analysis of the Therac-25 computer-controlled radiation
therapy machine http://sunnyday.mit.edu/papers/therac.pdf.
links that populate them. However,

AT L A N T I C C O U N C I L 13

sophisticated technology is not always keeping out legitimate medical personnel

accessible, and security vendors face the during a dire emergency.
daunting challenge of juggling the genuine
business needs of saving time, keeping costs Finally, there is the challenge of fixing
down, and simplifying administration. vulnerabilities after they are discovered. If, for
example, a device has been surgically
Device and application software disparities implanted, patching the software or firmware is
are common due to the lack of standard not always possible.
programming language across the industry. In
most cases, companies continue to improve on In the United States, some manufacturers fall
older devices while using similar components back on a longstanding concern that any
and languages, as the costs of switching are change, even security patches, requires FDA
high, and keeping legacy code might ease the re-approval. Although this is not accurate,
burden of getting the FDA approval required patching medical devices remains costly and
for new devices. cumbersome, as manufacturers must prove that
the patched device still meets all medical
Access control and credential-management intended-use claims.14
controls present a particular dilemma, as these
control permissions allow direct access to a Consequently, less patching is done on medical
patients most personal data, or to the devices devices than on other IT systems.
underlying control code.

Medical devices need to be secure enough to RECOMMENDATIONS FOR

protect against tampering, yet still accessible BETTER SAFETY, SECURITY, AND
enough to be accessed by medical personnel. EFFECTIVENESS IN NETWORKED
Imagine a patient with a networked pacemaker MEDICAL DEVICES
who naturally wants the strictest controls, then As with security challenges accompanying other
falls unconscious after heart trouble while new technologies, open collaboration and
traveling overseas. That patient would want a communication are key to managing and
local doctor or emergency medical technician reducing risk. This includes collaboration and
to have immediate access to the pacemaker, yet communication among regulators, as well as
the patient is incapacitated and cannot grant between regulators, industry, and medical and
that authorization. healthcare practitioners. Several
Different manufacturers have different solutions recommendations will help foster innovation
to this dilemma. Some favor hard-coded while minimizing exposure to security risks:
passwords that are built into the system and
Stress security at the outset, rather than as an
cant be readily changed. The upside is that
these passwords can be listed in the devices
user manual, easily found by emergency Improve private-private and public-private
medical professionals who might need them to collaboration
treat a patient. Unfortunately, hackers can also
easily find the passwords and misuse them. The Move toward evolutionary change of the
US Computer Emergency Readiness Team regulatory approval paradigm for medical
(US-CERT) recently disclosed that several devices
defibrillators had this vulnerability, noting the
default password allows physically proximate Introduce an independent voice for the public
attackers to modify device configuration and
cause a denial of service with adverse human
health effects. 13

Other manufacturers stress security by avoiding 14 For evidence that the concern is not true, refer to FDA guidance
such hard-coded credentials, but at the risk of and communications such as http://www.fda.gov/
RegulatoryInformation/Guidances/ucm077812.htm; http://
ucm189111.htm; and http://www.fda.gov/
13 US-CERT, Vulnerability Summary for the Week of August 11, RegulatoryInformation/Guidances/ucm356186.htm.
2014, August 2014, https://www.us-cert.gov/ncas/bulletins/

14 AT L A N T I C C O U N C I L

GRAPHIC 2. Regulatory Spectrum for Networked Medical Devices Worldwide

AT L A N T I C C O U N C I L 15

1 Build Security into Devices from the Since many medical device manufacturers write
Outset, Rather than as an Afterthought their own in-house codeand they are not
software specialiststheir customized code is
Medical device manufacturers must adopt a more likely to be inefficient, specific to each
secure-by-design approach to research company or project, or full of security holes just
and development. waiting to be discovered. Such small software
operations also tend to make it difficult to find
In the past, security has always been an and patch those bugs.
afterthought. Because of that approach,
security experts have had to deal with the This project could be a rare opportunity in
reckless shortcuts developers have taken to try which innovation, privacy, and security would
to cram security in after the fact. Adding be fully aligned, as it could reduce costs for
security features to products after their initial manufacturers and accelerate innovation,
rollout is a losing battle. It is simply too costly all while allowing for better security. As
and ineffective to try to secure systems already security threats and other bugs are found,
in the possession of the end user. the fixes would be made available to the
entire community.
As Stuart McClure, McAfees then-Executive
Vice President and Worldwide Technology Even the best secure-by-design products will
Officer explained to the US House Committee still have bugs. The medical device industry
on Homeland Security, Cybersecurity has to be should therefore adopt another best practice
baked into the equipment, systems and from other technology sectors and cooperate
networks at the very start of the design with computer security researchers. A
process. 15 Admittedly, to get security right in grassroots organization of security researchers
the design process upfront is an investment called I Am The Cavalry is an excellent
both in time and resources. But by prioritizing example of collaboration between security
security in its approach to product design researchers and companies, creating public
today, the medical device industry will reap awareness around areas where IT security
dividends tomorrow. affects public safety and human life, especially
networked medical devices.
Maximizing the benefits of networked medical
devices requires careful balance between the All too often, companies see such hackers as
control that a secure-by-design approach might adversaries or villainous criminals looking for
impose on devices and the flexibility needed by flaws in their products. Instead, many are driven
practitioners and patients in the field. by simple curiosity or public mindedness.
Sometimes, flexibility, and adaptation in the
field breeds security vulnerabilities, as device So-called bug-bounty programs offer modest
operators change configurations or security financial rewards to these researchers who
features, or combine technologies. A secure- provide low-cost security testing for the
by-design approach might include mitigating software. An industry-wide bug-bounty
approaches such as automated logging and program for medical devices, perhaps even
monitoring of device modifications in the initially co-funded by a partnership between
field, to identify vulnerabilities and better government and industry, might drastically
manage them. improve security at a low cost.

National governments, in partnership with A new approach for risk management of

an industry coalition, might make this secure- networked medical devices begins with
by-design approach easier by providing initial cooperation between the manufacturers of
funding for an open-source, common-language devices and software. Manufacturers need to
software library for medical devices. work with the security industry and regulators
to develop a comprehensive risk model to
follow during product innovation, design, and
delivery. This model would view the networked
15 Stuart McClure, statement delivered to the United States House of
medical device as a platform, not a standalone
Representatives Committee on Homeland Security Subcommittee delivery device. (The smartphone is another
on Oversight, Investigations, and Management, April 24, 2012, example of this model.) It would create
http://homeland.house.gov/sites/homeland.house.gov/files/ corresponding industry coalitions around

16 AT L A N T I C C O U N C I L

specific device lines, to consider the security of 2 Improve Private-Private and

technologies connected to the device. The goal Public-Private Collaboration
is to produce a medical device as a robust
platform, upon which additional technologies Few would suggest that the industry needs
and services can be added. more regulation. Rather, more coordination is
crucial. In any government agency struggling to
It is ineffective to apply existing risk models, deal with rapid changes in technology,
developed for desktop security, to medical regulators are not always as agile as they would
devices. The differencessuch as in credential like to be. To respond effectively, regulators
management, access control, and patchingare require feedback from everyone involved
too great. As one participant in an Atlantic through transparent collaborative forums, which
Council workshop pointed out, the tradeoffs ensure the regulators independent function
between convenience and security can be without concerns of collusion with the industry.
particularly pronounced:
Improving security almost certainly requires a
If you have an insulin pump and youre safe place to talk about these issues, provide
asking somebody over sixty to input a clarity on regulatory interpretation, reach
password every time that person gives a agreement on how regulators can enable
bolus, then either the person is going to innovation and effectiveness, and serve as a
choose 1-1-1-1 as the password, or theyre safeguard of the public interest.
going to find a way to deactivate it, or
theyre going to go for a competitors For discussion with government, one existing
device which doesnt have it [to avoid model is the National Health Information
the irritation].16 Sharing and Analysis Center (NH-ISAC) in the
United States. The NH-ISAC itself is probably
However, existing models for cybersecurity risk not appropriate for this function, as it focuses
management can serve as a launching point. on threat response, but its role as a convener
Within the United States, NISTs National of multiple stakeholders makes it useful as
Cybersecurity Center of Excellence (NCCoE) is a model.
working with industry to develop a use-case to
secure wireless medical infusion pumps, and will Manufacturers should continue improving
then expand it into a practice guide using communications among themselves. The
off-the-shelf solutions.17 Industrial Internet Consortium (IIC)formed
by Intel, IBM, Cisco, AT&T, and Microsoftis
NIST has also created a more targeted $7.5 an example of how industry collaboration
million program to explore Cyber-Physical can help unlock business value while also
Systems (more or less, another name for the bolstering security.
IoT), including networked healthcare devices.
This has been an active and extensive project The EU might consider such models as part
for developing a secure-by-design IoT, involving of its current debate on adopting new
industry vendors, academia, and government. regulations. Current EU procedures for medical
device approval are shorter and less restrictive
Other jurisdictions, especially the European than their US equivalents. The European
Union (EU), should be involved with these Parliament is considering new regulations that
programs and extend them within their would promote safety as well as innovation.
own borders. However, some manufacturers worry that such
rules would create unnecessary layers of
bureaucracy and delay patient access to
innovative technologies.18

As the various regulatory bodies (shown in

graphic 2) continue deliberating, they will need

16 Quote from participant at Atlantic Council workshop on 18 Angeliki Valsamidou, Update on the European Proposal for a
networked medical devices held on June 27, 2014. Medical Devices Regulation, Inside Medical Devices, May 30, 2014,
17 NIST, Cybersecurity Center Invites Feedback on Securing Medical http://www.insidemedicaldevices.com/2014/05/30/european-
Devices, December 22, 2014, http://www.nist.gov/itl/pumps- parliament-adopts-resolution-on-the-proposal-for-a-medical-
122214.cfm. devices-regulation.

AT L A N T I C C O U N C I L 17

to consider the transnational nature of data. a vulnerable webserver or with an out-of-date

Medical devicesespecially in the consumer operating system, regulators might not approve
personal-fitness spacealready stream data to the product. The regulatory process should
cloud servers, which can be in another encourage security by design, as well as the
jurisdiction that might have significantly ability to patch systems after they are deployed.
different health and privacy regulations.

These standards must be coordinated 4 Independent Voice for the Public in

worldwide, following the examples of the Global Cybersecurity Discussions
Harmonization Task Force and the International
Medical Devices Regulators Forum. Ideally, IT It is fundamental that this model offers a
standards should vary as little as possible from voice in the debate to the public, especially
one country to another. Not only would that cut patients and their families. In most countries,
manufacturing costs; it would allow security to governments and private companies do not
scale among jurisdictions. adequately represent the publics interest in
medical issues. This applies specifically to
Movement to the cloud will continue to striking a balance among effectiveness,
pose regulatory and business challenges, as usability, and security when the device is
data moves seamlessly across borders with implemented and operated.
profoundly different privacy regulations.
As the head of a medical device consortium
testified before the US Congress:
3 Evolutionary Change of the Regulatory
Approval Paradigm for Medical Devices Our entire healthcare system is shifting to
a model that embraces shared deci-
The current regulatory paradigm must do more sion-making by informed patients, whose
to encourage innovation, while still meeting views are valued and considered at every
regulatory policy goals and protecting the stage of treatment. It makes sense for
public interest. innovators and regulators to consider
patient perspectives as they develop and
Most regulatory processes, such as the FDAs assess medical devices. After all, one of
510(k) process, give the regulator an initial look the most important questions we ask is
at a new medical device before it goes to whether the clinical benefit of a device
market. To determine whether the new device is outweighs its risk.
similar to an existing one on the marketwith
the same risks and benefits for treating an Patients and their families have a deep and
identical problemthe FDA will classify the personal understanding of what it is like to
proposed product and review its risks and live with a disease, and they often have
benefits, along with any available research. valuable insights on how a device could
If a device is 510(k) cleared, it may then be sold affect their quality of life. In the end, it is
in the United States, but cannot be referred patients who must take the risks of medical
to as FDA-approved. interventions to obtain the benefits, so
their perspectives on benefit-risk tradeoffs
Yet some manufacturers push old technologies
and stifle innovation because they know the old should be central to the benefit-risk
technology will obtain regulatory approval. As assessments that are the basis of
mentioned earlier, this can discourage regulatory approval.19
manufacturers from innovating, which can
actually result in decreased network security. Regulators have already recognized the value of
public input, especially from patients.
One possible incentive might be a streamlined
approval process. Software security for
nonmedical devices is a fairly mature field.
Security experts already know the 19 Bill Murray, testimony delivered to the US House of
vulnerabilities of general commercial software, Representatives Committee on Energy and Commerce
Subcommittee on Health, July 9, 2014, http://democrats.
which allows a solid correlation for those in energycommerce.house.gov/sites/default/files/documents/
medical devices. Where the same or similar Testimony-Murray-HE-21st-Century-Cures-Modernizing-Clinical-
vulnerabilities exist, such as in a device running Trials-2014-7-9.pdf.

18 AT L A N T I C C O U N C I L

Within the United States, guidance in 2012 from

the FDAs Center for Devices and Radiological
Health emphasized patient tolerance for risk
and perspective on benefit.20 The FDA can
embrace this approach further, applying it
industry-wide and offering specific guidance on
how feedback from patients, or the broader
public, should be collected and presented into
the regulatory process.

Networked medical devices have bridged the
human-machine interface, delivering the most
personal of benefits. They literally embed the
Internet into peoples lives, improving medical
outcomes, offering better quality of life, and
lowering healthcare costs. They also potentially
introduce security flaws along with those
benefits. However, these flaws can be managed
and even reduced with a handful of steps: a
focus on security by design; better collaboration
among industry, manufacturers, regulators, and
medical practitioners; a change in the
regulatory approval paradigm; and encouraging
feedback from patients and families who
directly benefit from these devices.

The medical profession stands to benefit

from networked medical devices in ways that
are still unfolding. The practice of medicine
is as old as human civilization, though it
sometimes resists adopting new technology.
To embrace this change, medical school
curricula would do well to focus on this new
set of tools. Health practitioners and
physicians, working with patients and their
families, are particularly well suited to drive
the right balances among security, safety,
effectiveness, and patient experience. If they
embrace this technology, they will be uniquely
positioned to observe and identify the causes
of medical device failuresas well as the
unintended consequences of efforts to strike
these balancesand share those insights and
lessons with all involved parties.

20 Ibid.

AT L A N T I C C O U N C I L 19
McAfee is now part of Intel Security. With its Security Connected strategy, innovative approach to
hardware-enhanced security, and unique Global Threat Intelligence, Intel Security is intensely focused
on developing proactive, proven security solutions and services that protect systems, networks,
and mobile devices for business and personal use around the world. Intel Security combines the
experience and expertise of McAfee with the innovation and proven performance of Intel to make
security an essential ingredient in every architecture and on every computing platform. Intel
Securitys mission is to give everyone the confidence to live and work safely and securely in the
digital world. www.intelsecurity.com.

Intel and the Intel logo are registered trademarks of the Intel Corporation in the US and/or other
countries. McAfee and the McAfee logo, Intel Security are registered trademarks or trademarks
of McAfee, Inc. or its subsidiaries in the US and other countries. Other marks and brands may be
claimed as the property of others. Copyright 2015 McAfee, Inc., 2821 Mission College Boulevard,
Santa Clara, CA 95054, 1.888.847.8766, www.intelsecurity.com.


The Atlantic Council is a nonpartisan organization that promotes constructive US leadership and
engagement in international affairs based on the central role of the Atlantic community in meeting
todays global challenges.