This is a guest post. The views expressed here are solely those of the author and do not represent positions of IEEE Spectrum or the IEEE.
Cyberattacks are increasingly common in the health care industry. As the number of networked medical devices increases, so does the urgency for makers of these devices to understand and mitigate threats to device security.
In an increasingly interconnected and digital world, more and more medical devices contain embedded computer systems, which can be vulnerable to security breaches that affect how these devices operate. In March 2019, the U.S. Food and Drug Administration (FDA) issued a warning about two security flaws affecting dozens of implantable cardioverter defibrillators.
Such warnings underscore the importance of a cybersecurity-minded approach to device development.
Cyberattacks can be initiated by the introduction of malware into the equipment or by unauthorized access to configuration settings and data—not only in the devices themselves, but also in the hospital or other networks to which they are connected.
Attacks on networked medical devices, and the data they collect and transmit, can be costly. Patient safety is a critical concern, especially with devices such as defibrillators and insulin pumps that could cause patient harm or death if they malfunction.
Hacking of data from networked devices can also reveal commercially valuable information, such as:
- Patient health data, which can be sold, used to run phishing schemes, or be combined with other mined data to facilitate identity theft
- Product performance data, which can be sold to competitors or manipulated to undermine the device maker’s safety and efficacy claims
- Data from other devices connected to the same network, which can have system-wide impacts
Judging the risk of an attack
There are a number of factors that contribute to cybersecurity risks in the medical device sector. These factors include:
- Use of off-the-shelf software
- Advances in the Internet of Things (IoT), which blur the lines between public and private data and make it easier for health information to be shared electronically
- Proliferation of wearable and at-home medical devices, as well as telehealth offerings
- Lack of a mandate for health care facilities to retire from use devices that are no longer supported by the manufacturer
- Limited collaboration between the makers of medical devices and the health care delivery organizations that implement those devices
Over the past few years, the FDA has been vocal about the need for increased cybersecurity for medical devices. Since the FDA published its first premarket cybersecurity guidance in 2014, the agency has issued two other guidance documents. In 2016, the FDA published a postmarket guidance, which provides recommendations on how manufacturers should respond to new cybersecurity threats for marketed devices. In October 2018, the FDA issued an updated draft premarket guidance that also includes some postmarket recommendations.
Device makers shoulder the bulk of the responsibility for ensuring device security. However, hospitals and other health care delivery organizations are charged with evaluating their respective network security setups and protecting their systems. The FDA advises that health care delivery organizations work closely with medical manufacturers to understand what changes might be necessary to keep device security up to date.
In January 2019, the Health Care & Public Sector Coordinating Councils issued a joint security plan that provides recommendations for managing the security of medical devices throughout the product lifecycle. Under this plan, health care providers and purchasers of connected medical devices would be able to remotely access a cybersecurity bill of materials (CBOM) that would list all commercial hardware and all software embedded in the device. The plan would also require device manufacturers to notify customers before ending technical support for older devices.
What can medical device manufacturers do?
Rising cybersecurity threats have prompted medical device manufacturers to incorporate increasingly sophisticated methods of protecting their devices. Unfortunately, these security measures may sometimes make the device more difficult to use or disruptive to clinical workflow, causing end users to create workarounds that put the security of the devices at risk.
For device manufacturers, the challenge lies in considering how cybersecurity requirements will impact device usage and determining where tradeoffs can be made. Manufacturers should work with the full spectrum of stakeholders, including health care providers, device users, and patients, to ensure that measures taken to increase security don’t interfere with device usage.
As security decisions are being made, device manufacturers should take into account the following critical considerations:
- What is the intended use of the device?
This includes not only where and by whom the device will be used, but also when and how often it will be used. Security controls should be tailored to the end users and to their environments.
- What are the risks?
What is at risk if the device is compromised? The more serious the risk to patient safety, the more stringent and rigorous the security requirements should be.
- How likely is a cybersecurity breach?
While the likelihood of a cybersecurity breach may be difficult to quantify, manufacturers should consider what knowledge and access would be required to carry out an attack and how valuable the data collected by the device might be to potential hackers.
Device manufacturers should incorporate security and usability considerations into an effective cybersecurity plan during the earliest stages of design and development to help prevent costly changes or delays downstream. This requires collaboration between R&D, IT, and product engineering teams to ensure that devices are designed with the right threats in mind.
An effective cybersecurity plan should incorporate both premarket and postmarket phases and address risk management from device conception to disposal. Software-enabled devices will require a plan for maintaining security throughout the device lifecycle. The cybersecurity plan should also include a process for monitoring and managing the ongoing security of the device in the face of emerging vulnerabilities.
Many device industry giants—including BD, Abbott, Siemens, Philips, Medtronic, Johnson & Johnson, Boston Scientific, and Strykerv—have pledged to publicly share vulnerability information in the event of a cybersecurity breach on their devices. Industry-wide transparency is critical, but it can also be challenging because of the inherent tension between sharing vulnerability information and protecting intellectual property.
In October 2018, the FDA announced a memorandum of agreement with the U.S. Department of Homeland Security to improve collaboration and sharing of information to address medical device cybersecurity risks. Moreover, the U.S. Department of Health and Human Services’ Office of Inspector General has issued a report calling for the FDA to establish written procedures for securely sharing sensitive information about cybersecurity events with key stakeholders.
For manufacturers of networked medical devices, cybersecurity is becoming an increasingly important aspect of regulatory oversight and may even be a point of competitive differentiation. In fact, a recent survey showed that 62 percent of customers value cybersecurity more than ease of use in a medical device. As the responsibility of risk management ultimately lies with the medical device manufacturers who are bringing innovations to market, making cybersecurity a priority is a must.
Nach Davé is vice president of development strategy at Premier Research, where he advises medical device manufacturers on cybersecurity matters related to U.S. and European regulatory requirements.