Paper

Is Using Off-the-shelf Antimalware Product to Secure Your Medical Device a Good Idea?

Or Eight Questions You Should Ask Yourself before doing that.

2

Most vendors, who create embedded devices – especially medical devices such as medical X-Ray connected machines, connected Labs and other equipment – are smart, and understand the need of securing them against external threats such as malware. Such devices often run a common operating system such as Windows Embedded, or Linux and are susceptible to many kinds of malware threats as their non-embedded threats. Thus, protection against malware is important consideration when securing such devices.

A possible approach for securing those devices is to install an off-the-shelf antivirus product. The advocates of this approach typically come up with convincing arguments such as:

• This antivirus is being used successfully by millions of users, so there should be no issues running it on your devices;

• Your engineers are familiar with the antivirus installation and maintenance;

• The installation is quick – your device would be secured in a couple minutes of time, no integration needed;

• It is very cheap – in some cases it could be even free!

Sounds like a plan? It does at first glance. But if you think it is a good idea, please read on. There is a number of questions you need to ask yourself before making such decisions, and this article will help you.

Paper

3

Question 1: Would the product UI confuse my users?Imagine your X-Ray connected machine got infected. Maybe someone plugged in a USB stick with malware, and opened an image file which triggered a vulnerability in a parser. Maybe one of Windows services running on it had a remote code execution vulnerability, and got attacked through the network. The antivirus detected the threat, and…

… and popped up the message on the screen!

Now a typical desktop user, who installed Bitdefender antivirus, would obviously understand what’s going on. However the technician operating the X-Ray machine might have never heard of Bitdefender, or (unlikely but possible) not even know about the antivirus software at all. So they might not know what to do with this. They might even click on “More details” (assuming your interface supports it in the first place!), and get even more confused. Most likely this will result in their typical workflow being interrupted, and your support being called. At this moment the local IT department might get involved, and hopefully would fix it.

Rule: a security solution running on a medical device should be able to report infections to an appropriate department, and do so without workflow interruption.

There is absolutely no need for the technician to even see this message. The infection should be automatically blocked, but because it was present, it is not enough. The IT department must be notified so they can find out how it got there, and possibly clean other infected machines around. In case of a hospital it should be their IT department, but if you offering support, it should be YOUR IT department. And this should not confuse the operators and break the workflow.

Another issue is changing the product settings remotely. One option is to install remote management software on each device, and modify the settings manually. The issue here is that you can only do it during non-business hours, or otherwise the people would freak out seeing the mysterious dialogs popping up on the X-Ray control panel. And if your business is good and you have sold not just one machine, but 1000s – there’s a lot of work to do. Until next week someone finds out one of the settings were set incorrectly, and you’re up to repeating this again.

Solution: when you license the anti-malware technology as Software Development Kit SDK, there is no UI at all. You’re in complete control of the whole business logic, you decide what to do when infections are detected, where they are reported and how. And you tell the SDK which settings should be used. The settings could be stored on your server and your solution might download them and apply them to all machines simultaneously, ensuring the best protection and the best user experience for your valuable customers.

4

Question 2: Can I exclude the useless components?A security product typically includes a lot of features. Those related to malware detection are useful for you, but the other features might not be so useful. For example, the antivirus product could include the anti-spam module, which makes no sense on the X-Ray machine control panel. There could be built-in ad blocker, password manager, parental control, online banking protection, and another zillion of features making no sense for your use case. Those features are quite useful for desktop users, but they make no sense in your environment.

Rule: a security solution running on a medical device should only contain the necessary components, and no more than that.

You might think it is not really a big deal. What issue is if there are extra features which nobody would use? But please consider the following issues:

• Each of those features consumes some disk space, CPU, memory and (sometime) network. Those are valuable resources which could be used for your application to perform faster, do more processing or offer more features.

• Each of those features might have bugs, for which the product update would be issued. This means you would have to update the antivirus much more frequently than if those features were excluded. The product might only fix issues in the antispam module, but since few vendors are so specific in the release notes, you are likely to be forced to install every single product update.

• Some of those features might actually create issues. For example, there may be an

Paper

5

automatic “system optimization component” which reconfigures the system for the “best user experience”, and changes the screen resolution which breaks your application layout. Or there may be a “disk space cleanup” feature which deletes the temporary files of your application as “unused” right where it was about to start processing them.

• And some features may be outright dangerous. For example, the antivirus might include automatic remote backup, which uploads all the documents to a remote location automatically. This may lead to leakage of the documents containing medical information, and such act might be against the laws of your country – such as HIPAA in the USA – exposing your company to a lawsuit. Some products may include device tracking and remote wipe features, which could be abused remotely if misconfigured.

Solution: when you license the anti-malware technology as SDK, you only license the components which you need. You don’t pay extra for the components you won’t use, and you don’t include components such as “system optimizer” which have no place in your professional solution.

Question 3: Can I control the Antivirus use of Internet?A medical facility often has a restrictive Internet access policy, and for the good reason. However the antivirus products need to be updated frequently, or their ability to cope with new threats would be reduced. And some antivirus products require Internet connection to be available even for basic functionality, such as malware scanning, and will not work at all without one. This may create issues, because many medical devices are portable, and are constantly transferred between wards within the hospital the units – and even if it is not, a unit may be installed in a place where the network connection is not available at all.

Rule #3: a security solution running on a medical device should work with limited Internet usage, and should be fully-functional if network connection is interrupted.

Can you configure the antivirus to download its updates – including the product updates – from an internal server? Note that this is not a typical home user configuration, so your product will not have it built-in – you might need some extra software for that. Can you get it, and under which terms?

And can your antivirus function without Internet connection, and if yes, how much of functionality would be missing? Most modern products just print the “Internet connection required” on their box, and almost nobody explains in the documentation, which components and functionality depends on the Internet, what speed and throughput is required, and how much traffic a product would consume daily. for what the connection is required, what is the required throughput, and what functionality depends on it.

Solution: when you license the anti-malware technology as SDK, this information is always available to you. More, an experienced vendor such as Bitdefender would be able to offer different SDKs based on your needs, which would differ in their requirements of Internet connectivity. Also the situation with firewalled networks, is common among technology partners, so you will get access to the supported solution which performs the update mirroring, and will let hospitals to set up their own secure update servers.

6

Question 4: Can Antivirus Work with my device security measures?You might create a very secure device, using the read-only file system to store executable binaries, and use snapshots for the document areas – including registry – and restore it upon reboot. This way any changes made to the configuration by one doctor on your device could be easily reverted when another doctor gets on duty.

But does the antivirus support it? This is certainly not a typical end-user configuration, even in corporate environments, so don’t be surprised if it does not. For example: it might rely internally on binary patching, and break when the binaries are located in the read-only file system. It can store the current update version in the registry branch which is not properly saved, and find out the updates are reversed upon reboot and do not match the registry anymore.

Rule: a security solution running on a device with unique requirements should be explicitly cleared by the vendor to support those requirements.

Moreover, even if the current version you tested works in this environment, there is no guarantee the next version will work too. This is certainly not the use case the vendor tests the product on – so your luck here is, indeed, just pure luck. But do you want to gamble with security?

Solution: when you license the anti-malware technology as SDK, you are in complete control of which files are stored, and where they are stored. You can integrate the antivirus update process with your read-only protection mechanism so you can allow write access for some components for only specific time, which will allow the security solution to function properly while maintaining the higher degree of security for your device than your competitors.

Paper

7

Question 5: Can I use the antivirus built-in extra functionality?Most antivirus products do a good job protecting themselves from malware. A typical malware – even possessing administrative privileges on Windows – cannot delete the antivirus files, kill its process or write to its memory. However, an off-the-shelf product – including enterprise products – typically products do not offer additional self-protection features to incorporate into your application.

Rule: a security solution running on a medical device should protect not just themselves, but the medical application too.

The protection functionality offered by the underlying technology is very powerful – you can prevent modification of files, registry keys, and process memory. In some cases you can even prevent reading the process memory – even if the attacker possesses the administrator rights! This provides a higher degree of security, and is very useful in securing your device against internal attackers.

Solution: many experienced technology licensing vendors such as Bitdefender offer this functionality as part of some of the SDKs, so when you need it, you’re covered.

8

Question 6: Does antivirus leak any data which would get me in trouble?Many antivirus products see their main job as protecting the consumer, including the consumer privacy. But they protect it only from the “bad guys”. They might not be protecting it from the “good guys”, and certainly not from themselves. Your security product – even an enterprise product – might be sending a lot of information back to the vendor, such as diagnostic information, some scanned files, some visited URLs and so on. This might not be applicable for a medical device, and might even be considered violation of the patient information protection laws, such as HIPAA in the USA.

Rule: a security solution running on a medical device should send out no protected or identifiable information – even back to the vendor.

In case you’re using a free product, the situation is typically even worse. The vendors offering free products need to make money to stay in business, so they typically collect a lot of information, which could be then shared for profit. Remember the old saying, “if you’re not paying for the product, you are the product”. The problem here is that even if you are paying for the product, the vendor might still “subsidize” the lower product price with the information sharing. And the transparency differs among vendors – while some vendors are very open about this, some bury it in legaleze on page 268 of their privacy policy, where it is unlikely to be ever discovered.

Another possibility is that the antivirus vendor itself is using one or more 3rd party technologies internally, and those technologies share your data internally. This makes it much more difficult to find out which information is shared and how it is used, since you might even not know about the existence of a 3rd party vendor (those partnerships are typically not public information). And even if you’re aware of this issue, what happens if the technology vendor is changed, or acquired, or changes their privacy policy tomorrow?

Solution: when you license the anti-malware technology as a SDK, it typically does not share anything at all. You can enable sharing of specific information which would gain you certain benefits (for example, if you want certain files to be re-analyzed manually for being malicious, you would have to share them). But this sharing is always happening consciously, you’re always in control of what you want to share, and can stop the sharing anytime, or per-customer based. Also you can always ask the vendor to clarify if any 3rd party technology is used, and act accordingly.

Paper

9

Question 7: Is my operating system supported?Does the antivirus documentation says it supports the operating system you’re running it on, such as Windows 7 Embedded? Or it doesn’t but you called the sales department and they assured you “did I just hear ‘Windows’? Yeah, it surely works on Windows!” Or – even worse – one of your engineers bought the antivirus in a store, installed on your device, popped up the UI, played with it for 15 minutes and wrote a report “it works”?

Rule: if the antivirus specification does not say the OS is supported, it is not.

You can think it is easy to ignore this rule – after all you just need to test the antivirus yourself on the OS, right? Nope. First, this is not easy – you need to spend some major effort to ensure the antivirus works properly on this OS. This would require a complete test of it, and the complexity of this task is obvious once you understand it is not enough just to install it there, click on the UI popup, perform a scan and mark it as “checked”.

What if antivirus affects some functionality of your device hardware? This may be obvious, as when the antivirus disabled a touch screen because of driver conflict. But it might be not so obvious, when you find out that when your X-Ray tries to upload the shots to a central server, this connection is blocked as suspicious. Or after your software has been run for two weeks, it makes the antivirus behavior analysis module think it is malware, and it gets deleted? Just to find things like that would require long-running test of your whole application functionality together with this antivirus.

There also could be upgrades – OS upgrades, your application upgrades, product upgrades. An OS got a security update, and the antivirus driver did not mark it as valid for this OS. It didn’t check this before this update, but now it does, and the antivirus does not work anymore, or crashes the OS on boot. Or the antivirus vendor made some changes to make it Windows 2020 compatible – and those exact changes broke the compatibility with your OS.

With all those issues you’re completely at mercy of the security vendor. Maybe they’d listen to your pleas and restore the functionality – after accepting a fat check, no doubts – but even then the result is not guaranteed, especially the urgent result.

Solution: when you license the anti-malware technology for your operating system, it is guaranteed to be supported for the duration of the contract. The experienced vendor will also help you to test your product to ensure there is no incompatibility between your product and their code, and will promptly fix the issues if there is any. With the SLAs at your back you’ll feel much more comfortable facing your demanding customers.

10

Question 8: Will the antivirus vendor support my use cases?What happens if antivirus decides that your product update executable is malware? After all, it downloads executable files from Internet, and then overwrites existing executable files with them – this is how a lot of malware acts, so this is certainly possible. What would you do in this case?

Rule: if you purchase off-the-shelf product, expect off-the-shelf support.

Most likely you’ll call the product support. With the off-the-shelf product it would probably take a while to reach out to someone who can actually understand the issue, and it will take even longer to find out someone who’s capable to take some action on your behalf. Even if you purchased the enterprise version, and reached the enterprise support, they still might not be familiar with the nuances of your product – after all it does not resemble anything like typical enterprise environment!

In any case, expect to submit your product for analysis (the antivirus vendor needs to make sure it is indeed a clean product and not malware), and this analysis might take some time too. Note that since there is no NDA between you and the antivirus vendor – and since it is you who’re experiencing the issue, not them, they might not be willing to sign one – your product binaries might be shared with third parties.

Of course, when the next version of your product update is finally downloaded, you may be up to the same procedure again – because it is a different binary now, and the antivirus vendor has no way to know about it or test against it.

Solution: when you license the anti-malware technology, as part of the deal you are receiving access to the completely different level of support – sometime you can even communicate directly with engineers and researchers. This means your problems are fixed fast, and most of them wouldn’t even happen – because the support would think ahead of this scenario, and ask you to submit your new product binaries in advance, so the vendor can ensure it is not falsely detected. And of course your submissions would be covered under the typical business NDA.

Paper

11

ConclusionAs you see, there are significant advantages of licensing the anti-malware technology from a trusted vendor versus using the off-the-shelf product for securing your device. Even though these products maybe the easiest to implement, Antimalware SDKs offer greater flexibility to avoid the typical problems associated with off-the-shelf antivirus products.

All Rights Reserved. © 2016 Bitdefender.All trademarks, trade names, and products referenced herein are property of their respective owners.

FOR MORE INFORMATION VISIT: bitdefender.com/oem/

1807

2016

-Bitd

efen

der-O

EM-P

aper

s-U

seO

ffShe

lf-en

_US

Bitdefender delivers security technology in more than 100 countries through a cutting-edge network of value-added alliances, distributors and reseller partners. Since 2001, Bitdefender has consistently produced market-leading technologies for businesses and consumers and is one of the top security providers in virtualization and cloud technologies. Bitdefender has matched its award-winning technologies with sales alliances and partnerships and has strengthened its global market position through strategic alliances with some of the world’s leading virtualization and cloud technology providers.