Increasing Medical Device Security With Mainstream IT Platforms and Technologies

Version 1

    A Layered Security Approach Improves Protection and Eases the Burden on Health-Care IT


    By Santhosh Nair, Director, Medical Markets, Wind River & Michael P. Taborn, Platform Architect, Intel


    Medical devices, such as diagnostic tablet computers, heart-rate monitors, and MRI scanners, are just as susceptible to malware as standard laptop computers. Keeping them secure in any networked environment is certainly challenging, and the stakes are particularly high in the health-care industry.


    Proving this point, computer security firm McAfee and a medical equipment manufacturer recently raised awareness of security holes with potentially life or death consequences. They identified a networked insulin pump with a security flaw that allows the device to be hacked and subsequently administer a potentially lethal amount of insulin to diabetes patients. Although not currently typical targets of cyber-attacks, medical equipment can

    become “collateral damage” in a malware outbreak, or even be the weak link that opens the door to a cyber-attack.


    As the complexity of securing devices increases, so does the risk of vulnerabilities slipping past equipment manufacturers and hospital IT organizations. However, this complexity is reduced significantly when medical devices are designed for security using platforms similar to typical networked clients, such as laptops and workstations. This synergy enables hospital IT personnel to apply consistent security strategies across the network, making it easier to administer and monitor equipment. Moreover, as new technologies and methods roll out to thwart attacks, they can be implemented in a similar fashion across the network.


    There isn’t a single security solution capable of addressing all existing and future risks; instead, most would agree it’s necessary to implement a series of different defenses across the system. This can be done using a layered security approach that enforces security policy from the CPU to the application software, as outlined in this paper and demonstrated by the Intel Medical Security Reference Platform. In the best case, devices will be fully protected; and in the worst case, malware is detected faster, allowing counteractive _action to be taken before any harm is done.