Strengthening Cybersecurity: Virtual Software for Medical Devices
By Sarianne Gruber
The advent of smart devices is incredibly exciting. Perhaps medical devices and driverless cars are two devices that will have a huge impact on society. While it is common for the financial world to go for new and more effective security innovations, first, we should get medical devices to even higher levels of security. With both medical devices and connected cars, it is not just money, it is a matter of life and death – Sam Shawki Chief Executive Officer, MagicCube, Inc.
More and more medical devices are becoming smarter – close to 15% are already on the network and thus, vulnerable to cybersecurity attacks. Solving this problem of ensuring the safety of connected devices brought two Silicon Valley veterans together: Nancy Zayed and Sam Shawki, co-Founders and the CTO and CEO, respectively of MagicCube, Inc. Our conversation began with a close examination of the cybersecurity risks associated with connected medical devices. Unfortunately, it is impossible to require all medical device makers to include special hardware to secure data. MagicCube was able to tackle the nearly impossible problem of replicating the same security levels of a hardware secure element in a software platform. This platform runs a virtual secure container with a full platform to support easy and manageable large deployments of such devices.
What differentiates this solution from others is that it starts with safety rather than privacy. Hardware-grade security for mobile via software protects sensitive data and code in mobile apps and has the ability to ensure that a medical device is not hijacked. “It is not enough to delegate the security of the medical device to the network and be dependent on its availability. Networks get compromised. This is why we designed our technology to empower the medical device to put up a fight and remain secure in the presence or absence of the network,” shared Zayed. “If an attacker gets a hold of a defibrillator, a morphine pump, or any smart device that has life or death functionality, the result may be disastrous. We focus on how to secure an environment to identify and secure the communications inside all these devices, regardless of manufacturer,” added Shawki.
The Chertoff Group posted in Forbes: Connected medical devices provide patients and physicians with technology to better manage chronic conditions, improve outcomes and reduce the overall cost of care. They enable fewer doctor visits, reduce response times and shorten hospitalizations by empowering patients to manage aspects of their own care. To mitigate cybersecurity risks associated with connected medical devices and ensure patients continue to derive their full benefits, the industry must not only build security into its innovation process but ensure resources are in place to conduct ongoing monitoring efforts.
The value of investment in cybersecurity lies is in the protection of the patient and their data. As a call to action, healthcare organizations need to be empowered to fight or detect any manipulation of this data. Shawki highlighted two most crucial elements that need to be protected: (1) unauthorized access to the data as well as (2) the mobile health applications used by healthcare personnel.
Telehealth is a prime example in which the device is not within the boundaries of the enterprise. “If there is a device that is not in the hospital, such as an outpatient device, once it’s outside the facility, it is as if it’s in a different country. Telehealth is all over the place, and securing the network is impossible. It’s not your network — it’s a public network. Without the device being secure on its own, any exchanged information can be tainted by a malicious party,” noted Shawki.
A Move from Hardware to Software
Prior to MagicCube, Zayed spent over ten years at Apple as part of the operating system group and has had many years of experience in creating new and innovative software. When questioned on the benefits of going from hardware to software, she simply responded, “It is a ubiquitous way of controlling and deploying the security of your implementation.” She continued to explain the hardware’s static nature and how it can only present a barrier but does not have the ability to intelligently detect what is going on in its environment or communicate with the risk systems at the backend. “Our technology saves the expense and trouble of embedding different hardware components into different devices then working to come up with a protocol for interoperability. We have created our own small micro environment that protects the sensitive data and logic and can talk to a central that is managing all the devices and health applications. If something has changed, the data is not accurate in an instant, the system can deem it untrusted. Therefore, we ensure that all data being transferred can be trusted. An easy way to understand our tech is to think of a credit card with a chip on it. We are that chip, except virtualized. If you have a medical device missing a chip, that is a huge risk,” said Zayed.
The financial world has already adopted the mobile security model. We would like to have the same impact on medical security. This would be a wakeup call for medicine because breaches in the financial world are just a loss of a few dollars. Breaches in healthcare can be fatal. Healthcare organizations need to think about changing their mindsets. Cybersecurity is an investment in building patient confidence and a greater trust in health care. – Nancy Zayed, Founder & CTO, and Sam Shawki, CEO MagicCube, Inc.