Forensic Blogs

An aggregator for digital forensics blogs

by

Frameworks Of Medical Device Security

The field of Medical Device Cybersecurity as I have explored over the last week is a field that is attempting to protect the health of people while walking a line of efficiency vs. security that allows the device to not only be secure but to also be effective in treating the patients who need them. They tow this line by implementing security measures from development until the end of the life cycle discussed last week. These measures come from frameworks released by organizations such as ISO and the IMDRF.

The IMDRF (International Medical Device Regulators Forum) has in recent years put out several guidelines that seek to help address the threats that medical devices can face throughout their lifecycle. These include the “Principles and Practices for Medical Device Cybersecurity “, “Software as a Medical Device”, and “Possible Framework for Risk Categorization and Corresponding Considerations”. These frameworks address best practices in medical devices throughout the lifecycle of the device and even after the device has been introduced to the market. One method that it recommends is to pursue a model of security by design. This is when a company keeps the security of the device, both physical and digital, in mind from the moment they are designed. Keeping in mind any possible risks to the device that might exist in the field and might arise through normal use of the device. This concept of addressing risks is a recurring theme for the security of medical devices. The IMDRF recommends that all medical device manufacturers and designers pursue a risk-based development and assessment model. The risk-based model is one where risks to devices are categorized by severity, assessed to how relevant they are to the device, and then appropriate measures are taken to bring the risk down to acceptable levels without impacting the performance and functionality of the device. The IMDRF also recommends that manufacturers have a robust post-market Incident response plan to allow for the gathering of details on what happened, what changes need to be made, and for updates to be sent out as needed for new threats. This organization is cited heavily in the EU’s 2017 regulation that has come into effect recently known as MDR, which requires in Annex 1 this risk-based model, threat assessment, and security vs. Performance mindset. It is also heavily referenced in the FDA’s current pre and post-market guidelines directly where again the maintenance of a risk framework, secure design, and threat assessment is required.

Another framework that is leveraged by both the FDA and the EU’s MDR is the ISO framework. ISO stands for the International Organization for Standardization and it publishes standards that are used in several industries, however, I focused only on those relating to medical devices, mainly ISO 27001. This framework is also referenced in MDR and the FDA pre and post-market guidelines. This framework makes some important recommendations such as ensuring that in a medical device organization the security is well planned out and documented, ranging from leadership ensuring that everyone who is working on the device is recording and getting the needed security resources, to ensuring that a plan is adaptable to problems that occur so a device can not get bogged down by problems. ISO also recommends that to be compliant an organization needs to maintain an actively adapting threat model for the devices and software they release to proactively protect users. This is a big part of it and will need to be explored in the future.

This week the main issue that I found was finding how these frameworks are applied in regulations as there are guidelines. Due to the constantly evolving nature of the cyber landscape, they have to be relatively open-ended to maintain relevance in such a constantly changing landscape. Therefore defining terms such as “state of the art” and “dynamic risk” is an important hurdle I had to face that I am still actively working to clarify more. 

Follow us for more updates on this project!

For further questions about Munich Cyber Security Program, or this project please feel free to contact mcsp@comcode.de

Written By: Michael Verdi '22 // Computer & Information Systems Security

The post Frameworks Of Medical Device Security appeared first on The Leahy Center for Digital Forensics & Cybersecurity.

by

Smartphone On Wheels

It’s been a week since I posted my project’s first status report. Since then I’ve continued my work on the regulations and setting a baseline, but I’ve expanded a little bit to cover the topic of a connected car. This being one of the key segments of my research it’s important to set a really strong baseline. One thing that I quickly realized is that a connected car is, as the title says, just a smartphone on wheels. Filled with apps, chipsets, and network configurations, a car is just as vulnerable, (if not more so), than a modern-day smartphone. Last week I touched on the rules and regulations that are being developed, but this week my focus was on defining the modern-day connected car.

There are two sides to the technology inside a connected car, the internal and external. Quickly my focus shifted onto the external factors that make a car connected. These are things like Bluetooth, CarPlay, and Satellite, as well as some others. Each of these makes the car more enjoyable for the daily drive to work. As a consumer these aren’t thought to be insecure, Bluetooth for example gets used every day in most cases. Bluetooth is pretty insecure at its base, and when you put that in a car it becomes a problem. Internally poses a different risk. When it comes to external threats, those are just ways to get into the car and access its network. Internally threats are the things controlling your car, so from the traction control, to the airbags, even to the turn signals. 

Both of these separate shouldn’t be an issue for any auto manufacturer. It’s the fact that in many older cars, these two networks communicate with each other through what’s called a CANbus. This means someone that gains remote access through the Wireless stack, can, with a little bit of know-how, send spoofed messages to the CANbus and tell the car to do what they want. 

Using this information that I’ve gathered about the ins and outs of connected vehicles, I’ll be trying to put together a threat model surrounding connected cars over the next week. This includes the attack vectors as well as the damage potential they can cause. If you’re interested in hearing more about that be sure to check in next week as I’ll be posting an update on my status then.

Follow us for more updates on this project!

For further questions about Munich Cyber Security Program, or this project please feel free to contact mcsp@comcode.de

Written By: William Alber '22 // Computer & Digital Forensics

The post Smartphone On Wheels appeared first on The Leahy Center for Digital Forensics & Cybersecurity.

by

The State Of Medical Security

At some point in everyone’s life they have had to go to the doctor, and whether this has been for something small or something serious the doctor has had to use some kind of device. These devices, whether they are used for diagnosis, analysis or treatment are becoming more and more interconnected to each other and with the wider internet. Whether this is an X-Ray sharing its x-rays with an image analysis program for the doctor, a pacemaker that lets you adjust settings from an app on your phone, or even a health bracelet such as a Fitbit, the fact that medical devices are becoming more and more interconnected means that they are becoming more vulnerable to threats and threat actors in the Cyberspace. Proper Assessment, response, planning, and adaptability are key in trying to protect devices that protect us.

Throughout my research so far I have found that the governing bodies of both the United States and the European Union use a variety of institutions and practices to help address the risks throughout the lifecycle of medical devices. This lifecycle generally is addressed as follows.

Planning: This is when the device is being developed and designed to start testing and figure out what the device is needed for etc.Design: This is when the device is starting to get the technical aspects of itself, engineers start to generate the documentation needed and incorporate necessary design elements.Validation: This is the phase where regulatory compliance is completed and all the necessary information and labeling is provided to all stakeholders.Launch: This is where the device is introduced into the market and training and any other actions are done.Post Market: After the device has been sold this is where the cycle of monitoring, updating, and improving the device occurs.

One major institution that seeks to guide this field for legislators, regulators, and manufacturers in the IMDRF or International Medical Device Regulators Forum. They have in recent years put out several guidelines that seek to help address the threats that medical devices can face throughout their lifecycle. These include the “Principles and Practices for Medical Device Cybersecurity “ and “ “Software as a Medical Device”: Possible Framework for Risk Categorization and Corresponding Considerations”. These frameworks address best practices in medical devices such as having a security design mindset throughout the development process, pursuing a risk-based development and security model, having a good and robust Incident response framework, performing extensive vulnerability assessments throughout the lifecycle of the device, and ensuring that the security measures taken are scaled for the risk to the user if the device is compromised.

This summer working for COMCODE the goal is to gain an understanding of the current state of cybersecurity in regards to medical devices, which at first glance might seem simple however cybersecurity is never as simple as first meets the eye and medical devices constitute everything from the x-ray machine to the blood oxygen level reader to your Fitbit. All of these devices have security needs that need to be met and all are potential targets for malicious actors.

So far in my research, the main issue has been how convoluted and far-reaching the medical device field is. The fact that medical devices span so far is a cause of the cornucopia of regulations, practices, and controls that are used on various devices and why classification of devices is very open-ended and at times can be very vague and left to the manufacturer. However as my research has continued the tangle of rules, regulations, and practices has started to unravel. Shortly the solid base of a picture of the field will be ready to build my understanding upon.

STAY UP TO DATE WITH TWITTER, INSTAGRAM, FACEBOOK, AND LINKEDIN SO YOU KNOW WHAT WE’RE UP TO!

Written By: Michael Verdi '22 // Computer & Information Systems Security

The post The State Of Medical Security appeared first on The Leahy Center for Digital Forensics & Cybersecurity.