One of my recent projects had me shepherd the development and rollout of an embedded firewall for medical / clinical diagnostic devices in compliance with U.S. HHS / FDA rules on patient data privacy. Without going into details, a number of new, long-awaited requirements have sprung up within the past few years requiring data protection technology and processes in environments handling sensitive patient information.
This creates a bit of a conundrum for medical device and software manufacturers, insofar as all medical products, not just drugs, must undergo a massive, periodic set of verification and validation tests in order to ensure that they actually do what they’re supposed to, and will not result in minor side effects like genital herpes, limb removal or spontaneous combustion. Validation is expensive — bringing a drug to market can cost nearly $1 billion; any changes, upgrades or additions must go through punishing testing procedures. The same applies to clinical devices — MRI scanners, blood testers, and the myriad of associated machinery — plugs, cables, batteries — anything that somehow processes or plays a role in the processing of patient data. Fine.
For IT systems, this is a bit of an issue, especially in light of increased connectivity of hospital and other medical products. When to re-validate? Software upgrade? New feature set? Security patch? Antivirus pattern udpate? As we all know, bugs lurk everywhere, and even innocuous changes could bring about unwanted effects in poorly privilege-separated systems. This becomes worse when consumer operating systems start being used to run task-specific machinery; common development platforms keep costs down and allow for faster and broader-ranging feature implementation, but despite the inevitable whining about security-through-obscurity-is-not-real-security, having an off-the-wall operating system cuts both ways, in that it may hide flaws less likely to be spotted by peer review, but also often requires targeted intrusion attempts in order to break.
So given that clinical validation and revalidation of upgraded software so as to ensure continued reliability can cost anywhere around $500,000 a pop in time, resources and grief, offloading network security is a good thing. Despite the discrediting of eggshell models of network security (I still firmly believe that any system should be able to survive if exposed on an open network, even if this is not necessarily wise), if it’s simply not feasible to secure everything, you might as well protect it. The difficulties in validating and maintaining such systems, though, make it desirable to keep things as simple as possible.
Enter m0n0wall and WRAP / ALIX. This is the most killer hardware/security platform combo I’ve seen. I have a few of these on the older WRAP board running for years now without a hitch. They are incredibly robust, simple, without moving parts, and tolerant; my WRAP boards have been dropped, drenched, plugged into massively off-spec power supplies and otherwise abused. There’s a mini-PCI slot for a wireless card, and newer ALIX boards have VGA-out, sound, USB and serial.
M0n0 has a friendly interface, a great support community and a tremendously motivated developer behind it. Anyone familiar with basic firewall or crypto terminology will figure it out instantly; it’s fast, lightweight and has never crashed on me. My only bitch is that changing an inbound NAT rule does not automatically adjust associated firewall rules, but that’s a pretty minor thing. Best of all, it’s FreeBSD-based and conducive to hacking.
Recent Comments