Blog

Are connected medical devices secure enough for the digital health age?

April 7, 2021 John O'Gorman
Are connected medical devices secure enough for the digital health age?

Healthcare has always been one of the top industries at risk of cyber attacks. More than 93% of healthcare organizations have experienced a data breach in the past three years, with ransomware attacks alone costing the industry an eye-watering $7.5 billion in 2019. 

But it’s not just the prize of patient data, health records, or access to critical infrastructure that makes healthcare a tempting target for malicious hackers. With more healthcare organizations than ever now turning to connected solutions, many are having to consider the complex implications of connectivity on cybersecurity for the first time.

As we enter this era of truly connected healthcare, the industry must ensure medical devices are secure enough to withstand the potential risks, and that means taking a new look at how we approach cybersecurity.

 

Why cybersecurity is so critical right now

The coronavirus pandemic has caused immense pressure and rapid change in our health systems, with resources, staff, and capacity being stretched to their limits for over a year.

One development to emerge from this is the accelerating adoption and deployment of connected medical devices to ease the strain, now taking place at a rate the industry hadn’t expected to see for another ten years.

On the other hand, this influx of new devices designed to help battle COVID-19 and better manage our health systems has exposed vulnerabilities and opened new doors for hackers. In fact, by the end of 2020, global HCOs were battling a 45% increase in cyber attacks.

As well as more frequent, these cyberattacks are also becoming increasingly sophisticated. Many of us will remember the WannaCry ransomware attack back in 2017, which severely disrupted computing services in the British NHS, but the past few years have seen a whole host of new threats. 

Cybersecurity business JSOF, for example, last year identified 19 zero-day vulnerabilities, collated under the name Ripple 20, which could potentially impact hundreds of millions of devices across vast sectors of the economy, including healthcare.

The FDA, too, commented on a specific risk to the healthcare sector from a range of vulnerabilities identified in IPNet software, codenamed URGENT/11.

With so much risk to manage on a daily basis, it’s easy to become blind to the implications of such an attack. But the potential impacts are severe, and demand our full attention.

In 2018, for example, white-hat hackers were able to remotely manipulate a common pacemaker device. Though the hackers in question were only trying to highlight the potential risks medical companies face, the hack had real-world consequences, forcing the manufacturer to disable access to its software deployment network. In another event, a security threat was detected in syringe infusion pumps, which could impact or even stop fluid delivery of insulin, antibiotics, chemotherapy drugs, and more.

So what is needed to bring cybersecurity in healthcare up to date and prevent these kinds of serious security breaches?

 

Follow the guidance, but stay on your toes

With the FDA’s 2018 Cybersecurity Guidance going live just a few months ago, previously out-of-touch industry guidance has had a much-needed update.

However, with seven years since the previous cybersecurity guidance was released back in 2014, some US States have now passed their own rules governing security in devices to fill the gap.

These state laws can be overly prescriptive. While current FDA and MDR rules offer clear guidance, they leave the actual implementation open to interpretation. State laws, however – like the California State Law – require a very specific approach be followed for devices to gain approval. 

The problem is, a jumbled approach that incorporates a range of different guidance will lead to poor implementation, especially as both may change in the near future as technology continues to develop. Making sure your device or service meets all the necessary guidance will require keeping a sharp eye on the latest developments.

 

How device manufacturers should approach cybersecurity

Medical devices have been difficult to attack in the past, because they simply weren’t connected enough to be lucrative targets. But as we move to an era of connectivity in which everything is linked up in one way or another, we need to adjust to the fact that medical devices are just as valuable a target as devices in any other industry.

The right approach now requires involving and considering security at every stage, across all departments that will use the solution, and throughout the lifecycle of a medical device. That includes the update process, too; in some extreme cases, cybersecurity patches and updates are still installed in person with a pen drive, which is both slow and inefficient.

Bringing together different aspects of development that have traditionally been separate offers a more holistic view of problems, and a more effective solution.

There are several ways to approach secure development, but it’s best done in a manner that works with the workflow of a device development team. An asset-based approach, in which the development team knows what’s important in a device, works well. The development team conducts a security analysis that helps them understand how to build the device so that all assets are separate and can be defended.

 

Implementing proactive security solutions

It’s an approach we at S3 Connected Health understand well. We recently developed a new connected, hospital-based drug delivery system that serves as an example of this proactive security approach. 

With the system delivering life-saving medication directly to patients, top-level cybersecurity was required for it to be used confidently and safely in hospitals. 

To help accomplish this, part of the manufacturing line was rebuilt to facilitate the generation of encryption keys and to provision them onto the device. 

These keys ensure the secure transmission of data when the device is deployed in the field. Every piece of data is encoded with a specific starting point and location. The integrity of that data is then rechecked when decrypted in the manufacturer’s data center, to confirm the information has not been interfered with or compromised in any way. 

All this can be done without integrating with a hospital’s EHR system or internal network, thereby avoiding the related complexity, cost, and additional security risk of interfacing with an additional protected network. 

The end result is a better, more efficient system that is fully protected from cybersecurity risks. 

 

A proactive approach reduces risk and saves resources

Connected medical devices now play a vital role in our healthcare systems. To keep those systems safe and secure, a robust approach to cybersecurity is paramount. Clearer guidance will help, but in the meantime, we don’t have time to wait for regulatory authorities to catch up. 

Instead, device manufacturers need to start considering security from the very start of the device creation process, all the way through to the end of a product’s lifetime.

This kind of proactive approach to cybersecurity makes it easier to keep our patients and clinicians safe. It also means less work later on, whether that’s retrospectively fitting inadequate security software, or spending vast sums on fighting critical security breaches. And that, in turn, means more time for hospital employees to focus on what really matters: their patients.

 

By John O’Gorman,

Product Innovation Manager,

S3 Connected Health