Dräger addresses cybersecurity vulnerabilities in medical devices
With the growing demand of network connectivity in medical devices, Dräger focusses on a responsible use of information technology. Product Security engineers support the process of developing device functionalities that are supposed to function reliably and securely in a hospital network. Hannes Molsen (HM) and Scott Bristol (SB), both responsible for global Product Security at Dräger, have answers to the most frequently asked questions on cybersecurity.
What is the benefit of a device that is connected to a hospital network?
HM: Connecting devices provides a wide range of benefits. Some examples are: Data of multiple patients can be made available in a single system (e.g., Infinity CentralStation) to allow a better overview of multiple ICU beds. Alarms can be delivered to the current location of the caregiver instead of alarming just locally at bedside, allowing for faster and better response. Patient data does not need to be entered multiple times into different systems, but can be automatically exchanged between those systems, enhancing the complete documentation.
In which way do Dräger devices connect with a hospital network?
HM: None of our devices requires direct internet access. Depending on the device, it can either be part of a physically or logically separated network (e.g., Infinity Network) or part of the hospital network (e.g., Perseus A500, Innovian Web).
What does Dräger do to protect the devices from a hacker's attack? What kind of security levels are there?
SB: We incorporated security deeply within our software development lifecycle. Therefore, we train developers in secure coding practices, include cybersecurity in our risk management processes, do architecture and code reviews, and run automatic vulnerability scanners and static code analysis, and undergo professional penetration tests by independent partners. Nevertheless we recognize that no code is without flaws. For externally found potential security vulnerabilities in our products we provide a single point of contact to our product security incident response team viahttp://static.draeger.com/security.
Security of networked devices always consists of two parts. On the one hand the security of the device itself, on the other hand the security of the entire system, e.g., the network. The last part is a joint effort between us - the vendor - and the hospital IT configuring and maintaining the network.
What are the limitations of a manufacturer when it comes to a hospital network? When does the responsibility of the hospital kick in?
SB: The hospital and the manufacturer have a shared responsibility in securing the IT networks. The manufacturer needs to notify the hospital of the steps necessary to operate devices in a secure manner, i.e. in particular, stating the intended use environment. It is the hospitals reasonability to implement and monitor these steps, e.g. by performing a risk analysis according to DIN EN 80001-1. Dräger commits to being a trusted partner to ensure that the hospital can use devices securely.
How would a caregiver, e. g. during an operation or exam, notice that a device is being hacked?
HM: Our devices continuously monitor themselves for unexpected circumstances like high CPU (central processing unit) load, memory and hard disk consumption, or network traffic. Many of this can be recognized by the caregiver, as the device might start to act slow or unresponsive. As a last resort most devices automatically perform a reboot (warm start) from an unmodifiable image, which means that afterwards the device is, e.g., free of malware.
SB: Frequent unforseen reboots may be an indication of a directed attack, like a Denial-of-Service. However, a huge effort is taken to secure the therapeutic function of Dräger's devices. E. g., such a reboot of the cockpit of the ventilator doesn't stop the ventilation of the patient.
In software products, indicators of a possible attack may be defaced user interfaces or strange data sets containing special characters like slashes or brackets or other punctuation marks.
Nevertheless, in some circumstances the caregiver may have no indication of malicious activity.
For Dräger: What is the actual threat coming from a hacker's attack - is it the data they can steal or manipulate or is it the control they can take over the machine?
HM: Both threats are there and must be dealt with. While the theft of data is the more likely scenario of an attack, our devices contain only very little data. For a data thief these are relatively unattractive targets compared to, e.g., patient data management systems. There is a third group of attacks that is way more likely: accidental or collateral damage. This can either be IT admins acting in good faith running security scans on their networks, which produce unexpected data traffic on those networks that devices need to cope with. Or it can be, e.g., bored patients acting out of curiosity without thinking of the possible consequences. We are not aware of any of Dräger's products being compromised while in clinical use.
Dräger. Technology for Life®
Dräger is an international leader in the fields of medical and safety technology. Our products protect, support and save lives. Founded in 1889, Dräger generated revenues of around EUR 2.5 billion in 2016. The Dräger Group is currently present in more than 190 countries and has more than 13,000 employees worldwide. Please visit www.draeger.com for more information.
Contact
Local press contact:
Imogen Palmer
Tel +44 1442 292 882
Draeger Medical UK Ltd.
The Willows, Mark Road
Hemel Hempstead, HP2 7BW
United Kingdom
Corporate Communications:
Melanie Kamann
Tel +49 451 882-3998
Drägerwerk AG & Co. KGaA
Mosilinger Allee 53-55
23558 Lübeck, Germany
www.draeger.com
www.twitter.com/DraegerNews
www.facebook.com/DraegerGlobal
www.youtube.com/Draeger
Press release No. 95
07th November 2017