Aaron Liang I think much of this boils down to your design and risk management. For example, you could disable wireless connectivity in the electronics (e.g. a computer workstation) or block off any usb/network ports to prevent connections. All of this is dependent on the intended use of your device and whether or not there is value or purpose in being connected to networks or other devices.There are many electronic medical devices which can only be physically programmed by a clinician or otherwise qualified user so these risks can certainly be sufficiently mitigated. Certainly with infusion pumps, they could be centrally managed through the internet or a network or individually programmed and it is up to the company to manage the risks associated with these choices. I'm not sure that device manufacturers are lax, it is more the result of good/poor decision making by different organizations.

Since "modern" usage of electronic equipment in hospitals are designed to be networked so data can be both stored and monitored for both real time checking, patient records & alarms to the nurses station, those types of devices are necessarily "networked," or in the hacker world, they consider those types of items as 'targets.'

Security is literally a highly complex speciality today and most small startups can't afford to easily hire a top security specialist, so contracting with a security & testing firm seems the most reasonable choice.

And to avoid the most common problems, the security design must start on day 1 of the project.

it is not only about infusion or syringe pumps,there are other high risk and life sustaining equipments are also connected to network, like robots that are doing robotic surgeries, or even the HIS itself. So the problem in the idea of hacking where the hackers may exchange the EHR of the patients without even hacking any equipment especially in the multihospital systems where hospitals are connected to each other wirelessly. Mainly the only solution to to have a strong, reliable and updated security system.

I have a startup meddev company and i'm just starting to develop the device. It is highly important that the device is networked but at the same time hacking the control algo could be very dangerous. Who would be good to consult?

Jarrod, I would tend to pick a consultant near you. When you do a Google search on -- consultant security "penetration testing" -- you get a half million hits along with paid ads, so I'll bet you can find a good firm near you.

Another site that has a lot of good articles and insight: http://www.cioinsight.com

Stephen Glassic Some questions I have are, does regulatory requirements for validation of software security fixes cause medical devices software to be more vulnerable that other software by increasing development costs and causing delays in the release process? If so, is there anything that could be done to expedite security upgrades? Could an effective universal software security system be instituted that can be utilized with all devices?

Jerry Robinson with 50 billion+ iOT devices headed toward us.. security is extremely crucial...

since most will likely be BLE type devices - ie, packetized bluetooth - then it is an extremely good idea to get ahead of this issue..

Info world ran an article today noting how and why software in networked medical devices are less secure due to some of the constraints of locking in software at some point in the development cycle and then not patching later as faults are found.

http://www.infoworld.com/article/2933868/hacking/10-extreme-hacks-to-be-truly-paranoid-about.html

I quote some important sentences below and it is eye opening for me:

"Most medical devices undergo five to 10 years of development, testing, and certification approval before they can be used on human patients. Unfortunately, this means that any software used in the devices has five or more years of unpatched vulnerabilities by the time they ship.

Of course, medical devices must be easy to use, and they must “fail open” -- that is, they must continue to operate even when security has been breached. Long, complex, and changing custom passwords work against the device’s ease of use, so they are not often employed. Plus, nearly all communication between devices is unauthenticated and unencrypted.

Because of this, any hacker who finds the right ports can read the data and change it, without causing an operational interruption to the device, its management software, or other interfacing systems, such as electronic medical records. In fact, most medical device communications lack basic integrity checksumming, which would easily catch most malicious changes."

Stephen Glassic Bo, The entire article is eye opening and very disturbing. Reading through some of the links from the article and beyond, it seems like there is room for a more proactive approach but nobody wants to hold the responsibility or pay the expense. FDA guidelines indicate that cyber security upgrades do not need to be approved since they do not affect the safety or effectiveness of the device (as stated in this FDA Guidance document).

http://www.fda.gov/MedicalDevices/DeviceRegulationandGuidance/GuidanceDocuments/ucm077812.htm

I get the impression that following FDA guidelines does not necessarily offer any protection from liability. Nobody wants to be the last one holding the hot potato if something goes wrong.

Stephen you've hit on a big part of the problem.

The sages noted, "If you don't understand what is going on, look for the money."

My guess is the project managers @ Hospira on the infusion pumps put in the line item for security development and penetration testing and someone at the VP level said "That's too much for such a simple product no one will ever look at."

I have a friend in consulting services on hospital digital matters and he just noted that his requests to supply expert witnesses in hospital class action lawsuits has absolutely gone through the roof this year.

You pay a bit now or a lot more later.