Cybercriminals are increasingly targeting healthcare organisations to steal information and disrupt operations. The entire health care ecosystem is under pressure to improve cybersecurity. Fines, audits, lawsuits, reputational damage, and patient safety are powerful catalysts. No healthcare organisation should think it is safe from cybercrime. Cybersecurity threats to healthcare organisations and patient safety are real. Cyber Safety is Patient Safety!
Connectivity and digitisation of healthcare and associated technologies has enhanced medical device functionality and increased benefits to both patients and users. Whenever connected medical devices connect to hospital or home networks or the internet, they get exposed to cyber threats that can lead to increased risk of harm to patients and users, both financial and safety. Medical devices are valuable to cyber attackers because of the information and data they contain and the profit they can make once that information reaches the dark web.
Since the medical device cybersecurity risk can be a safety concern, they are to be designed, manufactured and utilised in a way that ensures that any risks associated with the use of the device are acceptable risks when weighed against the intended benefit to the patient, and compatible with a high level of protection of health and safety.
Cybersecurity expectations shall be applicable to devices that contain software (including firmware) or programmable logic, as well as software as a medical device (SaMD) or machine learning as a medical device (MLMD).
I would not limit the security by design considerations to medical devices that are network-enabled or contain other connected capabilities.
Medical devices can be susceptible to the same security challenges faced by other code-enabled systems, such as vulnerabilities introduced during design, manufacturing/assembly, implementation, configuration and retirement. Some are attributed to design of the medical device of (e.g., use of plaintext, hard-coded passwords), to coding flaws (e.g., buffer overflows, command injection), denial-of-service, and susceptibility to malware due to missing or improper security patching.
Medical device cybersecurity requires planning and action based on the applicable multiple environmental and use factors as the cybersecurity threat landscape is rapidly evolving. The potential harm to patients and users from an adverse medical device cybersecurity event could clearly include physical harm. There may also be other consequences for patients and users arising from a cybersecurity event including misdiagnosis or potential privacy breach by the disclosure of personal information.
One item that I truly try to remind healthcare providers and hospitals is that patient data is everlasting and cannot be altered or modified after a data leak – as you would with a credit card number for example.
Medical devices often collect, measure, or generate data during their operation, calibration and maintenance. Transmission of such data can become a source of risk if the medical device is capturing Personally Identifiable Information (PII) or other data with privacy implications.
Another great challenge is the third party support and medical device network connectivity because of third-party access. Hospitals may provide this access for remote management functions, maintenance, software/firmware updates, or features/functionality.
The minimal medical device cybersecurity expectations are to provide protection against unauthorised access, unauthorised influence or unauthorised manipulation, minimise risks associated with known cybersecurity vulnerabilities and facilitate the application of updates, patches, compensating controls and other improvements, including making available sufficient information for a user to make decision with respect to the safety of applying or not applying these.
The challenge, in my opinion, is to evaluate and design medical device cybersecurity to address off-label use of devices, exploitation of previously unknown vulnerabilities in the device software or hardware, unsupported or unauthorised user modification of devices to customise a device to perceived needs or preferences and use of device in operating environments that are not or may not be secure.
I truly believe that best, easiest and cheapest way is to secure a medical device by design by developing an understanding of cybersecurity vulnerabilities associated with the medical device and the potential risk during the initial design and development phase, like the following:
Another foundational activity to medical device cybersecurity is threat modeling, and I have written a short guide on how to best conduct one. Threat modeling is an important aspect of the security development lifecycle, which is a process aiming to build better and more secure systems or software. It is a technique, which aims to find assets, analyse potential threats and mitigate them. The following threats can be considered in the evaluation process:
It is important to understand the importance of healthcare professionals in establishing and maintaining cybersecurity in a medical device. I encourage health care professionals, users, and patients to ask questions about the clinical and cybersecurity risk associated with use of the medical device, how security of the medical device must be maintained, what they must do in the event of a suspected cybersecurity breach and what they must do in the event of a suspected cyber security vulnerability.
Procurement is the greatest spot to ask manufacturers and distributors questions about cybersecurity. The concerns include:
If the medical device is to be a connected part of the hospital’s network, then it is imperative to set up a vulnerability management process to monitor and address newly identified vulnerabilities of medical devices via timely patching.
Cybersecurity incidents have rendered medical devices and hospital networks inoperable, disrupting the delivery of patient care across healthcare facilities in every country. There has been considerable effort by most, if not all, regulatory agencies to grasp the importance of cybersecurity to patient safety and mandating that medical device manufacturers and healthcare organisations consider and plan patient safety.
It is imperative to educate and inform users (patients and staff) of relevant security information to help mitigate cybersecurity risks and help ensure the continued safety and effectiveness of a device. Utilise the medical device instructions and product specifications related to recommended cybersecurity controls appropriate for the intended use environment (e.g., anti-malware software, use of a firewall, password requirements).
Finally, assemble the answers/directions to the following questions:
There is a great infographic that was issued by ENISA (EU Agency for Cybersecurity) that really captures what will be dealing with in the foreseeable future, whether in the medical device security or cybersecurity in general:
Technology is revolutionising the way we do business and behave. The emergence of artificial intelligence (AI) as a tool for better health care offers unprecedented opportunities to improve patient and clinical team outcomes, reduce costs, and impact population health. The cost for storing and managing data, data collection via electronic health records, and exponential consumer health data generation have rendered most healthcare ecosystems as data-rich targets. The prevalent use of AI and the emerging regulatory landscape has led to an increased need for standards to define good practice and provide guidance to improve trust and market adoption. The International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC) are developing AI standards, including defining key terminology and concepts, risk management, governance implications, data quality, and various topics related to trustworthiness.
Nonetheless, AI security cannot be considered in isolation of existing risk-based security, privacy, and governance foundations, which can address many of the threats that arise using AI systems.