The idea of medical devices being infiltrated by cyber-criminals may seem like a plot from a far-fetched Hollywood movie. But with our increased use of the internet, cloud services and network-connected medical devices, alongside a lack of sufficient cybersecurity, it’s actually a very real and possible threat that the healthcare and MedTech industries could face.
A threat of this level could literally mean the difference between life and death for countless patients who rely on medical devices to survive, add to that the risk of data breaches of private and sensitive patient data. With so much at stake, it’s no wonder that cybersecurity in medical devices, or rather a lack thereof, has become such a major concern.
The healthcare industry has long been an attractive target for cyber-criminals. The WannaCry cyber-attack back in 2017 which targeted computers across the world using Microsoft’s Windows system, saw hackers cancel tens of thousands of GP appointments and divert NHS ambulances away from emergencies. Not only that, they also encrypted patient’s data and held it to ransom until a sizeable Bitcoin payment was paid.
Despite highlighting the need for tougher cybersecurity measures, the UK’s Department of Health tested the cyber defences of over 200 NHS trusts a year after the WannaCry cyberattack and every single one failed to meet the required standard.
But it’s not just the UK who have discovered vulnerabilities in their cybersecurity systems. In 2018, the US Food and Drug Administration (FDA) had to recall two defibrillator models made by healthcare company Abbott’s, after discovering a vulnerability that could give cyber-criminals access to the device’s battery stores and cardiac pacing commands.
Early last year, an Israeli research group developed malware with the intent of highlighting the need and urgency for improved cybersecurity in the healthcare sector. This particular malware enabled the user to manipulate CT and MRI scans by adding or removing images of tumours, which worryingly could lead to serious patient misdiagnosis and delay treatment. While this was just research, it still demonstrated how cybercriminals could infiltrate medical devices and cause serious harm to patients.
Thankfully, to date, there have been no reported attempts of anyone directly hacking into a medical device to alter its performance and threaten the life of a patient. However, cybercriminals continue to target MedTech devices for the personal data they contain, with a goal of selling this data on the black market or demanding a ransom for it. A recent study found that the global healthcare industry accounted for nearly four out of five of all reported data breaches last year.
Thanks to MedTech innovation we now have digitised medical devices including pacemakers, infusion pumps, ventilators, CT and MRI scanners. Wearable smart devices such as smart health watches, ECG monitors, blood pressure monitors and biosensors, have also seen a surge in popularity in recent years. All of these devices contain varying amounts of patient data, as well as having a level of connectivity, either via the internet of things or the cloud.
While halting the collection and storage of patient data might seem like the simplest way of deterring cybercriminals from targeting these devices, its actually more complicated than that. Data-driven healthcare systems created by MedTech companies have helped to breathe new life into the healthcare industry. By utilising the device’s real-world data collection, advanced data analytics, and machine learning, healthcare professionals are able to provide more accurate diagnoses, more tailored care and lower healthcare costs than ever before.
Understandably, this is not something that either the healthcare industry or their patients want to lose.
With the use of connected smart medical devices and the collection of data unlikely to disappear any time soon, safeguarding medical devices, such as hospital equipment and wearable devices, has never been more important. Thankfully, MedTech manufacturers, healthcare facilities and regulatory bodies like the FDA are taking steps to address this issue.
In 2018, the FDA launched a cybersecurity playbook with the aim of helping healthcare providers safeguard their technologies more effectively, with examples of how to reduce unauthorised access to smart medical devices. The playbook states that medical device manufacturers are responsible for identifying any cybersecurity risks associated with their medical devices. This includes putting appropriate mitigations in place to address patient safety risks and to ensure proper device performance.
The FDA also feels that patients and caregivers should play a key role in medical device cybersecurity, particularly when the devices are used away from medical facilities. Just last year, they created a cybersecurity guide that encourages patients and caregivers to regularly update device software to prevent data breaches and to report all malfunctions to the FDA and the manufacturer directly.
Similarly, in Europe, a political agreement to reinforce the mandate of the EU Agency for Cybersecurity was reached in 2018, with the aim of establishing a certification framework. This means that all medical devices which are connected to the internet of things must reach a certain standard before they can be considered “cyber-secure”.
Rather than cybersecurity being an afterthought, manufacturers are now being encouraged to include more cybersecurity elements into the design and functionality of their devices. From secure boots to embedded firewalls to secure remote updates to device identity certificates, there are multiple ways in which the cybersecurity of these devices can be enhanced during the manufacturing process.
Many leading manufacturers have also started implementing solutions based on the principle of zero trust. Zero Trust-based security solutions ensure that only authorized and validated individuals, such as the patient’s doctor or authorized devices on that network, have access to that medical device’s data.
By building these security controls and policies directly into every one of their devices during the manufacturing process, MedTech manufacturers can not only help to prevent cyber-attacks that originate over the Internet, but also protect the integrity of their devices too.
Keeping cybercriminals out of medical facilities IT networks significantly reduces the risk of attacks against medical devices and other systems inside the network. So, if these facilities want to be proactive in the protection of their patient’s data, they need to increase their employee’s knowledge of how to keep their website, emails, network and database secure. Ensuring that every device, app and server they use has an authenticated digital identity can also be an effective deterrent.
Keeping medical devices and the data they collect safe from cyberattacks is an ongoing battle, with cybercriminals constantly changing their tactics to get around even the most sophisticated of cybersecurity measures. However, with MedTech manufacturers, healthcare facilities, regulators and device users all working together to find a solution, medical devices are bound to become a harder nut for these cyber criminals to crack.