From patches placed on the skin for drug delivery, to pacemakers that can be remotely monitored by medical staff, we are living in an age where we have never had more information or control over our own health.
It is difficult to find an area of technological development with as tangible a benefit to society as the medtech sector. Medical devices have evolved from inefficient and clunky tools to sleek wearables and implants, permitting medical staff to make changes without invasive procedures, and allowing those with chronic illnesses to mine deeper insights, discovering the patterns of their condition.
According to the Harvard Business Review, the electronic medical device market will hit an estimated $398bn by the end of 2017.
Along with all of the benefits does come a certain amount of risk – risk that manufacturers, regulators and healthcare facilities need to mitigate in order to ensure these devices are safe to use, the networks they are accessed on are secure and the devices themselves can be patched against future security threats.
Regulations as they stand
In 2013, former US vice-president Dick Cheney revealed that his doctor ordered the wireless functionality of his pacemaker implant to be disabled, due to fears it could be hacked, similar to a scenario from US TV drama Homeland.
Prof Alan Smeaton, director of the Insight Centre for Data Analytics at Dublin City University, told Siliconrepublic.com: “There’s tremendous sophistication in some of these implantable devices, with some of them being actual defibrillators – jump leads for the heart, so to speak – that when they detect arrhythmias, they administer shocks from coils implanted in the heart, and they do this autonomously.
“The software to monitor this and to react appropriately is intelligent, learning individual heart-rate characteristics and tuning to the individual.
“When visiting the healthcare surgery or office, the data from this needs to be downloaded, and updates to the software, improvements and refinements need to be updated, so two-way communications are needed – and yes, this is thus a security risk.”
Smeaton noted that around the same time public discussion began to focus on the potential dangers of medical device and network vulnerability, the FDA was swift to impose new rules in June 2013. Since then, it has been steadily introducing new updates and imposing sanctions on firms found to be non-compliant.
The US National Institute of Standards and Technology (NIST) also published a comprehensive document around the security of systems. One of the document authors, Ron Ross, told Wired that adhering to the standards can help avoid issues for medtech firms. “It absolutely can help ensure that medical devices are more trustworthy because the guidance in the document can help eliminate vulnerabilities and things that can be exploited either accidentally or on purpose by hostile threat actors.”
Dr Martin McHugh is a lecturer in the School of Computing at Dublin Institute of Technology (DIT), and he explained the regulation standards for the EU market: “If a device is to be marketed for use in Europe, it must be developed in accordance with the EN ISO 14971:2007 Medical Devices – Application of Risk Management to Medical Devices standard.”
However, he noted that the last major revision of this standard was released in 2012, a far different time to the one we are now in, with regard to cybersecurity. He said medical device manufacturers should be following the work of research groups in this area and keeping up with industry best practices to protect their devices.
The international standards community has recognised these potential threats, and has released guidance documents specifically to healthcare providers to protect themselves, eg IEC 80001-1:2010 Application of Risk Management for IT Networks Incorporating Medical Devices. McHugh added: “While these guidance documents are not legally binding as with IEC ISO 14971 for medical device manufacturers, it may become the case that healthcare funding providers may withhold funding if evidence of conformance to these guidance documents is not provided.”
As well as this, a report from EY also noted that the new EU Medical Device Regulation is due to come into force by 2020, introducing a less straightforward path to compliance for many medical device manufacturers. This will encompass both pre- and post-market approval processes for high-risk devices such as implants, and publication of clinical trial data and safety summaries.
Fragility of healthcare IT systems
The concept of security for medical devices needs to have two prongs: the security of the device itself for the end user, and the security of the network the device may be accessed on.
White-hat hacker and chief research officer at SecurityScorecard, Alex Heid, said that often, hospital networks are not quite robust enough, or are using legacy systems such as Windows XP, which contributed in part to the WannaCry attack on the NHS earlier this summer.
Heid explained: “Much of the security advice surrounding advanced medical equipment suggests network segmentation to prevent sensitive equipment from being accessible to the public internet.
“While that is a best practice that should definitely be implemented, it does not completely mitigate the risks of cyberattacks upon medical equipment.”
He noted: “The attacker will compromise a perimeter router, oftentimes a legacy router or a misconfigured router, and can then use that connection to pivot into the ‘segregated’ portions of the internal network.
He compared many network topologies, including healthcare facilities, to an eggshell. “While the network perimeter may be secure and hardened, a single, small crack will expose how soft and vulnerable the internal devices may be.”
A duty of care
Caroline Rivett, head of cybersecurity in the healthcare practice at KPMG UK, told the Financial Times that responsibility must be shared. “While device manufacturers, to my mind, have a clear duty of care to ensure that their devices have built-in security and can be regularly patched and updated, there’s dual responsibility here, because hospitals must ensure that they’re carrying out that work and that they are implementing these devices in a secure way and connecting them to hospital networks appropriately.”
McHugh explained that access is a key issue. “Historically, should someone wish to gain access to a medical device, then they would have needed to physically access it.
“Today, if someone accesses the network from any point, then there is the potential for them to be able to access any medical device on the network.”
How do we mitigate the risk with medical devices?
As well as manufacturers ensuring the devices are secure before going to market, healthcare facilities need to look at the security of devices during the procurement process, and ensure that cybersecurity policies for bring-your-own devices are as strongly protected as networked devices.
A consistent level of risk assessment and prompt application of security patches is also recommended, although many hospital CIOs are operating under a great deal of financial strain, so it is by no means an easy task.
End users need to be fully informed about how to use their devices properly, which will also help to ensure patients adhere to security rules.
Threats v vulnerabilities
Writing on the subject for the MDDI, Mickey Garcia said an important distinction needs to be made between security threats and vulnerabilities. “A threat is a malicious action performed by a cyber actor to manipulate computer systems, steal data, or encrypt data and demand ransom for its release.
“A vulnerability is a weakness in a network, endpoint, device or operating system that can be discovered and exploited to carry out a threat.” He explained that by tackling vulnerabilities, the likelihood of them escalating into a threat is much lower.
Garcia stressed that cybersecurity needs to be addressed at the design stage for manufacturers. Creating a secure medical device, and ensuring it remains secure on hospital networks and that security patches are swiftly updated, is a painstaking but vital process.
Smeaton concluded by saying that although a hack of a medical device could happen in theory, “so also could hacking of the software controlling our motor cars (especially with driverless vehicles, but that’s another story); so also could hacking our smartphone access to our bank accounts; so also could any number of things, if there’s somebody determined enough to do so”.
In essence, the same problems apply here as they do to any technology – therefore, so do the same solutions. Due diligence on the part of manufacturers, healthcare facilities and end users are all key pieces of the medtech puzzle, which, if slotted together, can create safer innovations in healthcare.