Key Takeaways
Wireless life-supporting medical devices have vulnerabilities that can jeopardize the health and personal data of a patient
The healthcare industry struggles to defend itself from cyber threats because of the number of devices on their networks and lack of funding to spend on cyber defense.
Medical device cybersecurity is becoming increasingly regulated which is driving investment in that industry.
Fiction becoming a reality
In a December 2012 episode of the popular television series Homeland, the Vice President of the United States was assassinated when a terrorist organization wirelessly hacked his pacemaker. While this scene is clearly one that belongs on in TV drama, the reality is that this narrative is grounded in fact. Dick Cheney, George W. Bush’s real-life vice president from 2001 to 2009, was sufficiently scared of a similar event. He felt the threat so real that the wireless capabilities in his own pacemaker were disabled in order to prevent this method of assassination from becoming reality. The ability to hack a pacemaker has now been proven.
Networked medical devices are a double-edged sword: They have the potential to play a transformational role in health care but also may be a vehicle that exposes patients and health care providers to safety and cybersecurity risks such as being hacked, being infected with malware and being vulnerable to unauthorized access.
Hundreds of thousands of medical devices such as patient monitors, infusion pumps, ventilators, and imaging modalities – many of which are life-sustaining or life-supporting – currently reside on hospital networks across the United States. Even more medical devices are accessible via wireless technologies, for example, insulin pumps and pacemakers.
Security challenges in healthcare
The healthcare industry has long been targets of cyber attacks (with a recent spike in incidents) because of their vast amounts of health information and data such as patient health, product performance, or data from other devices connected to the same network. Personal health information is among the most sensitive data that can be made public, and its use by cybercriminals for extortion purposes could be immense. Compromised medical devices could be used as a gateway to attack other portions of an organization’s network.
The healthcare industry faces many challenges when it comes to securing it’s systems:
Because of budget limitations and the hesitance to learn/teach new systems, many healthcare facilities have outdated technology.
Healthcare staff are not trained to deal with online threats and are not fluent in cybersecurity best practices.
The number of devices used in hospitals makes it difficult to stay on top of security. These devices come from different manufacturers and are constantly opening up more entry points to their network
Threat Landscape for Wireless Medical Device
So far, despite several alerts warning of vulnerabilities in medical devices, there have been no real world attacks and no patients are known to have come to harm. That being said, there has been a lot of eye opening research from white hat hackers that have caused concern and recalls.
Pacemakers were implicated in a major hacking risk in 2017, with 500,000 devices from Abbott’s recalled by FDA. According to authorities, hackers could endanger lives by remotely causing the batteries in pacemakers to go flat or forcing the life-saving devices to run at potentially deadly speeds.
Also in 2017, the Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) identified problems with a number of syringe infusion pumps in U.S hospitals. A total of eight security vulnerabilities were found in the Medfusion 4000 Wireless Syringe Infusion Pump, which is manufactured by the medical device maker Smiths Medical. The discovery also led to a recall.
Similar discoveries and recalls have occurred for heart rate monitors.
Industry regulation and best practices
Despite the threat of attacks only being theoretical, medical device cybersecurity is becoming more and more regulated. These regulations focus on security throughout the device lifecycle from early stages of development to threat monitoring. There are three major regulatory standards in the industry now: IEC 62304, ISO 14971 and FDA guidance documents. Here are a couple major takeaways from each of these documents:
IEC 62304 (focused on software life cycle processes)
Safety should be built in from the beginning of development with continuous testing of software security requirements
Medical device developers are cautioned against using SOUP (Software of Unknown Providence). This is third-party software, including any open-source libraries.
You show you follow an appropriate process for managing updates, testing them, and mitigating risk.
ISO 14971 (international standard for medical device risk management)
Documentation is the key - you need to show how you have implemented safety-related procedures in various stages throughout the product lifecycle
You should anticipate any way in which your connected device might fail and what the consequences of that failure might be
FDA
The guidance document for premarket management of cybersecurity in medical devices identifies issues that manufacturers should consider in the design and development of devices. It recommends limiting access, authenticating software updates, implementing features that allow for threat detection and response and lots of documentation.
The guidance document for postmarket management of cybersecurity in medical devices recognizes that cybersecurity is a shared responsibility between stakeholders of the medical device (manufacturers and healthcare facilities that administer the devices). The document lays out reporting procedures for vulnerabilities and the cadence for continued testing.
With regulation comes compliance requirements, which can be expensive. This increased spending on medical device security is one reason why the healthcare cybersecurity market is anticipated to reach $16.4 billion by 2025 at 11.82% CAGR.