"The Codenomicon tools are amazing. Using them is like being attacked by the most relentless adversary who uses every possible method to find flaws in your code

We fixed subtle crash bugs in Samba that had been in the code for over ten years. We would never have found those bugs without the Codenomicon tools.

If you're serious about implementing protocols correctly, you need the Codenomicon tools."

-- Jeremy Allison,
   Co Creator of Samba



Fuzzing for Medical Devices

Security Testing for Medical Devices

Introduction | Fuzzing for Medical Devices | MDISS | Whitepapers


Introduction

The technological development has introduced abundance of sophisticated smart medical devices that communicate wirelessly. There is only one solution to the security and safety threat posed by low quality code: Fuzz Testing. The more critical the solution is for patients health the more rigorous fuzzing is needed.

The FDA is developing a cybersecurity laboratory in which a fuzz testing capability is to be integrated. The FDA has chosen Codenomicon Defensics as their tool of choice for fuzzing.

Download the Executive Summary on Fuzzing for Medical Devices here.

The United States Food and Drug Administration Recommends Fuzzing

The United States Food and Drug Administration (FDA) has acquired Codenomicon Defensics testing tools for their Cybersecurity Testing Lab facilities:

  • Ability to discover previously unknown flaws, i.e. zero-day vulnerabilities
  • Protect patients
  • Recommend for vendors to fuzz test as part of their vulnerability assessment before FDA submissions

The FDA recommendation means that:

  • If the FDA finds vulnerabilities, it has the power to deny access to market from medical device manufacturers
  • Affects everyone from the subcontractors to SW vendors to the mother company itself
  • Medical Device manufacturers risk getting their components rejected by the FDA if not fuzzed
This can extend well into the supply chain (e.g. providers of components and software used by medical device manufacturers). Fuzzing may give them the competitive edge thatís needed: fuzzed components are more robust than not-fuzzed ones. Fewer call-backs mean saved money and resources.

Medical Device Security

More and more medical devices connect to data systems to help diagnose and monitor patients and their therapies. They rely on both software and hardware in order to function. This means both the software and the hardware must be robust and reliable.

All software has flaws, or bugs. These bugs are unknown vulnerabilities as long as they remain hidden. Vulnerabilities can cause a device to crash, deny service, and perform in unexpected and unsafe ways. Vulnerabilities can enable attacks against larger systems, so finding and fixing the vulnerabilities is essential to ensure robustness and reliability. Other connected devices may also malfunction and cause a denial of service. The earlier the flaws are found, the easier and more cost effective it is to fix them, and ultimately the safer it is for patients.

Contact sales(at)codenomicon.com for a proof of concept case. Let's find out what we can help you with!

Fuzzing in the Healthcare Industry

Automated robustness testing, known as fuzzing, is widely recognized as the most efficient tool for finding unknown vulnerabilities. Fuzzing has been successfully used in robustness testing various communication protocols. In fuzzing, the devices under test are fed deliberately malformed messages and the results are carefully monitored. This method finds robustness and stability issues which are hiding in the code. Read more: Buzz on Fuzzing

Benefits of Fuzz Testing

  • Assess and manage risks
  • Increased quality assurance
  • Cost-efficient robustness
  • Quality gate for vendors and contractors
  • Lead position in the industry
The earlier the software flaws are found and fixed, the more cost-effective and easier it is to manage. If the flaws remain in the equipment after commercial release, a device recall and update is very expensive and difficult to execute. Moreover, regulators are making efforts to ensure that fuzz testing becomes a part of the acceptance cycle in the healthcare domain. Human lives may be at stake when a medical device malfunctions. Therefore, it is even more crucial to provide robust and reliable products.

Vulnerabilities and Risks

Software is everywhere in hospitals and medical devices, from electronic health records to a vast number of current and upcoming new medical devices. Many new technologies are often unstable and lack robustness, and using untested and unreliable devices is an obvious risk to the medical industry. This is why the US Food and Drug Administration (FDA) is now recommending fuzz testing for assessing risk and ultimately ensuring quality of medical devices.

There are mainly two players in the field of healthcare technology: Caregivers and Medical Device Manufacturers. Both parties face unique software vulnerability risks.

Risks For Medical Device Manufacturers

  • Regulatory Risks: Regulators recommend fuzzing - not delivering up to the expected level may prove expensive.
  • Liability Risks: Vulnerabilities may open the framework up to malicious attacks. Re-used code spreads the risk even further
  • Software Lifecycle Cost Risks: Updating and maintaining post-release software is expensive.
  • Reputation Risks: Vulnerabilities discovered by security researchers or malicious actors can cause unfavorable public opinions for device makers.

Risks For Caregivers (e.g. Hospitals)

Liabilities with security:

  • Vulnerable, crashing software can jeopardize the patients' well-being and make monitoring more difficult
  • Vulnerable software can open the information systems up to information leaks (a violation of HIPAA HITECH laws) and malicious attacks.

Time spent struggling with malfunctioning systems means lost working time and inability to deliver therapy to patients. Risks to human life from malfunctioning or crashing devices and systems