When a Risk Analysis is not a Risk analysis
Superficially at least, there is not a lot of difference between a threat analysis that is part of a software/hardware security assessment and a risk analysis (or hazard analysis) that is performed by a medical device company as part of their submission to the FDA. In the past 2 years, FDA added guidance for cybersecurity for medical devices and the format and language of the guidance is fairly similar.
The problem is that hazard analysis talks about patient safety and relates to the device itself as a potential attacker whereas software security talks about confidentiality of patient data, integrity of the code and its data and credentials and system availability and relates to the device as a black box.
So in fact – medical device risk analysis and cyber security assessments are 2 totally different animals.
Some of my best friends work in medical device regulatory affairs. I admire what they do and I like (almost) all of them on a personal basis.
But – over the past year, I have been developing a feeling of deep angst that there an impossible-to-cross chasm of misunderstanding and philosophy that exists between medical device regulatory people and medical device security analysts like me.
But I can no longer deny that even at their best – regulatory affairs folks will never get security.
Why do I say this? First of all – the empirical data tells me this. I interface with several dozen regulatory professionals at our medical device security clients in Israel and the best of them grasp at understanding security. The worst cases hang on to their document version controls for dear life and claim earnestly even as they are hacked that they cannot modify their device description because their QA process needs several weeks to approve a 3 line bug fix. (This is a true story).
We intend to implement encryption of EPHI in our database running on a cloud server since encryption uses check sums and check sums ensure integrity of the data and help protect patient safety.
True quote from a device description of a mobile medical device that stores data in the cloud…the names have been concealed to protect the innocent. I did not make this up.
The chasm between FDA regulatory and cyber security
The second reason I believe that there is an impossible-to-cross chasm between medical FDA device regulatory people and medical device security is much more fundamental.
Systems like mobile medical devices live in the adversarial environment of the Internet and mobile devices. Unlike traditional engineering domains like bridge-building that are well understood and deal with winds that obey rules of physics and always blow sideways; security threats do not play by set rules. Imagine a wind that blows up and down and then digs underground to attack bridge pylons from 50m below earth and you begin to understand what we mean when we say “adversarial environment”.
General classes of attacks include elevation of privilege, remote code execution, denial of service and exploits of vulnerable application interfaces and network ports. For example:
- Attacker that steals personal data from the cloud by exploiting operating system bugs that allow elevation of privilege. Zero-days that were unknown when your QA people did V&V.
- Attacker that exploits vulnerabilities in directory services that could allow denial of service. What ? We’re using directory services???
- Attacker that tempts users to download malicious mobile code that exploit mobile APIs in order to steal personal data. What? This is just an app to measure blood sugar – why would a patient click on an add that injects malicious code into our code while he was taking a picture of a strip to measure blood sugar??
We talk about an attacker in an abstract sense, but we don’t know what resources she has, when she will attack or what goals she has. Technology changes rapidly; a system released 2 years ago may have bugs that she will exploit today. Our only recourse is to be paranoid and think like an attacker.
Thinking like attackers not like regulators
By being extremely paranoid and thinking like attackers, medical device security requires us to systematically consider threat models of attacks, attack vectors, assets at risk, their vulnerabilities and appropriate security countermeasures for prevention, detection and response.
While this approach is not a “silver bullet” it lends structure to our paranoia and helps us do our job even as the rules change.
And this where the chasm begins. The rules change. There is no QA process. There are no rules. We are not using IEEE software engineering standards from 40 years ago. They are useless for us.
Dorothy – we are not in Kansas anymore. And we are definitely not in Washington DC in a regulatory consulting firm of high-priced lawyers.