fbpx
1-888-310-4540 (main) / 1-888-707-6150 (support) info@spkaa.com
Select Page

OSS, Heartbleed, and the Impact on Medical Device Design

medical device industry image blood cells in vein
Written by Mike Solinap
Published on June 17, 2014

The use of open source software (OSS) within the medical device industry is a double edged sword. On one end of the spectrum, you have freely available code that is available for the world to scrutinize. In the process, one would hope that bugs are more easily identified. OSS also allows medical device design engineers the ability to quickly bring their product to market. By being able to modify existing code, integration into the product is much more feasible.

On the other end of the spectrum, OSS can be analyzed for vulnerabilities, which could be used for malicious purposes. This was the case with the Heartbleed bug – a recently discovered vulnerability affecting a large fraction of OpenSSL based servers.  Should medical device manufacturers give OSS a second thought?Patient data and safety is what’s at risk, and it’s a big risk most manufacturers may not want to take.

SPK Engineers work closely with product development groups. In the process, our expertise in infrastructure systems and application lifecycle management (ALM) often times leads to contributions towards a customer’s product directly. Here are a couple of suggestions I would make whether or not a customer decides to incorporate OSS into their own product, or is concerned about the Hearbleed bug or potential future vulnerabilities.

Use a traditional, tiered application architecture. By having a separate set of nodes with separate roles, it is possible to compartmentalize the data that is processed or stored on each of them. For instance, the Heartbleed bug allowed hackers to request arbitrary segments of memory from an OpenSSL based server. If perhaps a database server was running on the same machine, it’s possible that memory resident portions of the database could be read. With a proxy node in place, it could terminate the SSL session and simply relay back to the main application node. With nothing else running on the node, the risk for data leakage would be mitigated.

Use diverse vendors where possible. Imagine an all-Microsoft shop. Proxy servers, web servers, firewalls, operating systems all come from the same vendor. In the case of the Heartbleed bug, this actually would have been a good thing to have. But let’s not forget about all of the vulnerabilities that have come from this vendor historically. Having multiple vendors in your stack could provide yet another ingredient in your multi-layer security approach.

Next Steps:

Mike Solinap
Professional Services Manager
SPK & Associates

Latest White Papers

Costs and Benefits of Moving a .NET Application to the Cloud

Costs and Benefits of Moving a .NET Application to the Cloud

Do you know the full cost and benefits of moving your .NET application to the cloud? In this guide we’ll cover everything you need to know about your .NET cloud migration. Is this guide for you? If you’re faced with outdated legacy systems and the pressures of digital...

Related Resources

What is Observability And How Can It Optimize IT?

What is Observability And How Can It Optimize IT?

Your IT architecture is anything but simple. In fact, it’s more like the complex, yet silent spinal cord of your business functions. But what can you do when something goes wrong? Monitoring tools give you a partial view into business performance (or issues),...

Costs and Benefits of Moving a .NET Application to the Cloud

Costs and Benefits of Moving a .NET Application to the Cloud

Do you know the full cost and benefits of moving your .NET application to the cloud? In this guide we’ll cover everything you need to know about your .NET cloud migration. Is this guide for you? If you’re faced with outdated legacy systems and the pressures of digital...

Codebeamer vs. 12 Symptoms Of Poor Requirements Management

Codebeamer vs. 12 Symptoms Of Poor Requirements Management

Managing requirements can feel like a flawed game of telephone—messages get distorted by the time they reach their destination. This doesn't just waste time and resources, but puts the entire project at risk. Legacy tools often fall short in meeting modern project...