Panel: Challenges in Securing Medical Cyber-Physical Systems

Moderator: Dr. Krishna Venkatasubramanian, Worcester Polytechnic Institute

Panelists:

• Eugene Vasserman, Kansas State University

• Denis Foo Kune, University of Michigan

• Pat Baird, Baxter

• Srdjan Capkun, ETH Zurich

Abstract:

An explosion in the capability of medical device platforms has made it possible to make healthcare both pervasive and effective. From pacemakers to interoperable medical device systems in ICUs to smart-prosthetics to body sensor networks, medical device platforms are becoming increasingly cyber-physical in nature. That is they are: (1) tightly coupled with their environment, the human body, for monitoring and actuation, and (2) usually deployed as part of a large collection of integrated system of systems. The availability of medical cyber-physical systems (MCPS) has many potential benefits including the development of smart patient alarms, provision of safety interlocks, closed-loop health monitoring, pervasive and timely health management and so on.

Much work is going on in designing the MCPS to be safe, especially in the cases where the underlying systems fail. However, the interactive and safety-critical nature of MCPS makes them obvious targets for exploitation by malicious actors. The failures from such exploitation usually have features that are inherently different from models of failures in more benign environments. Therefore, preserving security within such MCPS is essential for ensuring patient safety.

Given the diversity of applications that fall under MCPS, the threats and the security challenges for each of these applications are overlapping but different. In this panel, we will discuss what it takes to secure MCPS, including appropriate threat models, and outstanding challenges, the potential approaches. The panel members are experts in the design of different MCPS applications. Based on their individual experiences, the overall goal is to try to synthesize a general set of research challenges for the broader domain of MCPS. The discussion and recommendations of this panel will be relevant to anyone interested in designing secure MCPS.

Position Statements

Krishna Venkatasubramanian. MCPS systems have to be fundamentally safe --- that is they should not harm the patients they are deployed on. Security for MCPS plays an important part in ensuring safety of such systems. Essentially, a secure MCPS protects its users from faults that are deliberate in nature. This seems to suggest that security is a proper subset of safety when it comes to MCPS. But is this understanding complete? Are there scenarios where securing an MCPS has no safety implications? Privacy-related issues come to mind, even though loss of privacy can have indirect safety implications for users. I would like to discuss the relationship of safety and security when it comes to MCPS.

Eugene Vasserman. Securing MCPS requires a combined approach of best practices and changes in the way medical systems are regulated. Many questions need to be answered first, such as at what level do we consider something to be "secure", e.g., is it enough to have "secure" devices, or do we need to secure facility network infrastructure as well, or do we consider all networked devices and the network as one system? Furthermore, the issue of safety overrides requires discussion -- do we believe the clinician has the final say regarding safety, or do we rely on automation?

Denis Foo Kune. The importance of sharing security related data and setting up the appropriate mechanism to record security events from clinicians. One of the major hurdles I am facing is to determine security events that could have affected patient outcome, but the data is very sparse and if available, it may be faulty due to the amount of security expertise required from clinicians. The importance of system level correlation for sensor level defenses. Sensors may be affected by noise of malicious interference. Many therapies rely on trustworthy sensing. What are the challenges in trusting data from sensors?

Pat Baird. Introducing security concepts and analysis to the existing medical device industry will have two main challenges. One challenge is the learning curve required for any new problem domain. The other challenge is the assessment and prioritization of security work in amongst all of the other demands placed on product development teams.

Srdjan Capkun. Separating and isolating critical from non-critical functionality within MCPSs will be one of the core challenges in this area. These are not general-purpose systems and their core/critical components should be as much as possible isolated from their more open / less critical functions. Securing remote access to MCPSs is another challenge which needs careful design; one needs to make sure that a compromise of a single server or of a single set of credentials does not make a large group of patients vulnerable. This will require careful design of both MSCPs and of the infrastructure that supports them.