Medical device security, and the risks associated with those devices is getting increased attention. A recent article in The Hill highlighted the concern the FDA and private industry have regarding these devices. The FDA has issued both pre-and post-market guidance, with goals to improve the security of connected medical devices in the development and manufacture processes.
In March 2017, OWASP, the Open Web Application Security Project released a set of best practices for securely deploying connected medical devices. The OWASP best practices contain seven high-level categories encompassing thirty-two recommendations:
- -Purchasing Controls
- -Perimeter Defenses
- -Network Security Controls
- -Interface and Central Station Security
- -Security Testing
- -Incident Response
Implementing Purchasing Controls is the best way for an organization to understand the types of security vulnerabilities they are bringing into their environment. It allows an enterprise to ensure that they can provide compensating controls, as necessary, to secure the device appropriately. In addition, it is the best way to assess whether the device can comply with the organization’s security standards such as account lock out requirements, audit logging, access controls and password requirements.
In addition to the Purchasing Controls recommended in the OWASP document, I also advocate for A ‘Bill of Materials’ as part of the purchase of any software, firmware or product. Companies should require their vendors to provide a list of all open source and commercial components included in their products. Companies can use the Bill of Materials to analyze known vulnerabilities, which are crucial to managing risk.
The Heartbleed vulnerability is an example of a vulnerability that persists, in some part, due to the lack of Bill of Materials enforcement. Heartbleed is an OpenSSL vulnerability first identified in 2014. The Heartbleed bug is in the OpenSSL’s implementation of the TLS/DTLS (transport layer security protocols) heartbeat extension. When it is exploited it leads to the leak of memory contents from the client to the server and from the server to the client.
One common use is networked appliances with logins secured by this implementation of the TLS. Many organizations are still not aware that they are using vulnerable products and devices that have OpenSSL components. Until vendors update their software, these vulnerabilities will persist.