level. Driven by the need for rapid response
in emergency situations devices like pacemakers are often readable, but also operationally modifiable, when the correct *type*
of local control device is introduced to the
local network. In these cases, there is often no
defense against a rogue control device being
used by a bad (or unqualified) actor.
Alan Grau: The risks for medical devices
are really not that different than the risk to
other embedded devices. There are two
things, however, that are different.
or patched the software running on med-
ical devices to avoid FDA re-certification.
As a result of being unpatched, they often
have known security vulnerabilities.
for malware in the same way as other
systems in the medical network. If they
do become infected with malware it will
often go undetected for long periods of
time, allowing hackers to operate with
As a result, hackers will often specifically
target medical devices to gain a beachhead
in the network. From there, they will move
laterally within the network to attack other
devices and systems.
Mike Nelson, VP of Healthcare
Solutions at DigiCert: The highest risk
for all types of medical devices is when
patient safety is jeopardized. Many of these
[threats] come from a lack of good security
hygiene and security being built into devic-
es. Commonly, devices lack device authen-
tication, are vulnerable to insecure boot
and updating because of a lack of strong
authentication, and many devices are being
connected by administrators to the net-
work using default passwords shipped with
the device, rather than being properly con-
figured. Insecure practices present possible
threats to patient safety including:
control over a networked device.
unauthorized user might be able to dis-
pense a lethal dose of medicine or cause
the device to malfunction that could
harm the patient.
device causing it to malfunction.
over by an unauthorized user and locked
down until the ransom is paid.
MDT: What types of security mechanisms
should medical device designers be including in
Mike Nelson: Security should be key
in every part of the product lifecycle.
It shouldn’t be handled as an afterthought.
Device manufacturers should consider:
access and control of the devices.
patches getting to the device.
cutting or welding models available
no laser maintenance
configurable and cost-effective
multiple laser options available
MULTI-AXIS LASER SYSTEM
FIBER LASER | PROCESSING HEAD | PRECISION MOTION SYSTEM
ALL ENGINEERED & MANUFACTURED BY IPG PHOTONICS