Medical Device Security

Cybersecurity risk is now patient risk

John Giantsidis

John Giantsidis

More about Author

John Giantsidis is the President of CyberActa, a boutique consultancy empowering clients in their regulatory, cybersecurity, privacy, data, and commercialisation endeavors. With deep regulatory and technology background, a broad range of experience over a 27-year career, and a sharp focus on tackling emerging risks, John affords his clients with strategic yet pragmatic perspectives on addressing critical risks in a business-focused and impactful manner. John is a Cyber Aux with the U.S. Marine Corps, a member of the Cybersecurity & Infrastructure Security Agency (“CISA”) Healthcare POC, an advisor to the National Telecommunications and Information Administration (“NTIA”) in its Software Component Transparency efforts, and a past voting member of Association for the Advancement of Medical Instrumentation (“AAMI”) in Health IT Security matters.

Cybercriminals are increasingly targeting healthcare organisations to steal information and disrupt operations. The entire health care ecosystem is under pressure to improve cybersecurity. Fines, audits, lawsuits, reputational damage, and patient safety are powerful catalysts. No healthcare organisation should think it is safe from cybercrime. Cybersecurity threats to healthcare organisations and patient safety are real. Cyber Safety is Patient Safety!

1. How important is medical device security in your opinion?

Connectivity and digitisation of healthcare and associated technologies has enhanced medical device functionality and increased benefits to both patients and users. Whenever connected medical devices connect to hospital or home networks or the internet, they get exposed to cyber threats that can lead to increased risk of harm to patients and users, both financial and safety. Medical devices are valuable to cyber attackers because of the information and data they contain and the profit they can make once that information reaches the dark web.

Since the medical device cybersecurity risk can be a safety concern, they are to be designed, manufactured and utilised in a way that ensures that any risks associated with the use of the device are acceptable risks when weighed against the intended benefit to the patient, and compatible with a high level of protection of health and safety.

2. What kind of medical devices require security measures?

Cybersecurity expectations shall be applicable to devices that contain software (including firmware) or programmable logic, as well as software as a medical device (SaMD) or machine learning as a medical device (MLMD).
I would not limit the security by design considerations to medical devices that are network-enabled or contain other connected capabilities.

3. What are the common risks associated with insecure medical devices?

Medical devices can be susceptible to the same security challenges faced by other code-enabled systems, such as vulnerabilities introduced during design, manufacturing/assembly, implementation, configuration and retirement. Some are attributed to design of the medical device of (e.g., use of plaintext, hard-coded passwords), to coding flaws (e.g., buffer overflows, command injection), denial-of-service, and susceptibility to malware due to missing or improper security patching.

Medical device cybersecurity requires planning and action based on the applicable multiple environmental and use factors as the cybersecurity threat landscape is rapidly evolving. The potential harm to patients and users from an adverse medical device cybersecurity event could clearly include physical harm. There may also be other consequences for patients and users arising from a cybersecurity event including misdiagnosis or potential privacy breach by the disclosure of personal information.

One item that I truly try to remind healthcare providers and hospitals is that patient data is everlasting and cannot be altered or modified after a data leak – as you would with a credit card number for example.

4. What are the challenges associated with securing medical devices?

Medical devices often collect, measure, or generate data during their operation, calibration and maintenance. Transmission of such data can become a source of risk if the medical device is capturing Personally Identifiable Information (PII) or other data with privacy implications.

Another great challenge is the third party support and medical device network connectivity because of third-party access. Hospitals may provide this access for remote management functions, maintenance, software/firmware updates, or features/functionality.

The minimal medical device cybersecurity expectations are to provide protection against unauthorised access, unauthorised influence or unauthorised manipulation, minimise risks associated with known cybersecurity vulnerabilities and facilitate the application of updates, patches, compensating controls and other improvements, including making available sufficient information for a user to make decision with respect to the safety of applying or not applying these.

The challenge, in my opinion, is to evaluate and design medical device cybersecurity to address off-label use of devices, exploitation of previously unknown vulnerabilities in the device software or hardware, unsupported or unauthorised user modification of devices to customise a device to perceived needs or preferences and use of device in operating environments that are not or may not be secure.

5. What are some best practices for securing medical devices?

I truly believe that best, easiest and cheapest way is to secure a medical device by design by developing an understanding of cybersecurity vulnerabilities associated with the medical device and the potential risk during the initial design and development phase, like the following:

  • The medical device has a unique, unforgeable identity that is inseparable from its hardware
  • The integrity of the medical device software is secured by hardware
  • The medical device remains secured even if one of its security mechanisms is breached
  • The medical device’s security enforcement code is protected from bugs in other software on the medical device itself
  • The failure in one component of the medical device is contained to that component
  • New medical device software components can be added in the field to address new cybersecurity threats
  • The medical device authenticates itself with certificates or other tokens signed by the hardware root of trust
  • The medical device reports errors for analysis to enable verification of the correctness of in-field execution and identification of new threats
  • The medical device software can be updated automatically.

Another foundational activity to medical device cybersecurity is threat modeling, and I have written a short guide on how to best conduct one. Threat modeling is an important aspect of the security development lifecycle, which is a process aiming to build better and more secure systems or software. It is a technique, which aims to find assets, analyse potential threats and mitigate them. The following threats can be considered in the evaluation process:

  1. Patients/users leave their login credentials on a public place (e.g., write them down on a piece of paper) or share them with family, friends or relatives
  2. Healthcare providers (doctors, nurses, technicians) leave their login credentials in public places or share them with others
  3. Medical devices may be spoofed by attackers, which may lead to incorrect data being delivered to the patient
  4. There unauthorised access to medical device data using shared (or stolen) passwords
  5. Patients/users intentionally or accidentally modify, add and/or delete data because of over-privileges or inapplicable access control of a medical device
  6. Improperly protected data stored in patients' medical devices could allow attackers to read information not intended for disclosure.

6. How can healthcare organisations ensure that their medical devices are secure?

It is important to understand the importance of healthcare professionals in establishing and maintaining cybersecurity in a medical device. I encourage health care professionals, users, and patients to ask questions about the clinical and cybersecurity risk associated with use of the medical device, how security of the medical device must be maintained, what they must do in the event of a suspected cybersecurity breach and what they must do in the event of a suspected cyber security vulnerability.

Procurement is the greatest spot to ask manufacturers and distributors questions about cybersecurity. The concerns include:

  1. What security measures have been built into the medical device?
  2. What measures are in place to protect patient safety?
  3. What measures are in place to protect the confidentiality, availability and integrity of patient data?
  4. How has security been addressed at each level, e.g., hardware, firmware, OS, network, and user interface?
  5. What security protocols and frameworks have been used?
  6. What IT environmental requirements are needed for secure operation of the device?
  7. What are the known cyber security vulnerabilities for the device?
  8. Have you assessed the cybersecurity of key components within the medical device (i.e. the supply chain)?
  9. Do you, the manufacturer, provide an ongoing service to manage the security of your medical device(s), and how will you respond to future cyber security incidents?
  10. A medical device often has a long lifecycle—do you, the manufacturer, have enough resources to support the security requirements throughout the lifecycle?

If the medical device is to be a connected part of the hospital’s network, then it is imperative to set up a vulnerability management process to monitor and address newly identified vulnerabilities of medical devices via timely patching.

7. What is the role of regulatory bodies in ensuring medical device security?

Cybersecurity incidents have rendered medical devices and hospital networks inoperable, disrupting the delivery of patient care across healthcare facilities in every country. There has been considerable effort by most, if not all, regulatory agencies to grasp the importance of cybersecurity to patient safety and mandating that medical device manufacturers and healthcare organisations consider and plan patient safety.

8. How can healthcare providers educate patients and staff about medical device security?

It is imperative to educate and inform users (patients and staff) of relevant security information to help mitigate cybersecurity risks and help ensure the continued safety and effectiveness of a device. Utilise the medical device instructions and product specifications related to recommended cybersecurity controls appropriate for the intended use environment (e.g., anti-malware software, use of a firewall, password requirements).

Finally, assemble the answers/directions to the following questions:

  1. What constitutes a cyber security risk?
  2. What are the risks, particularly cybersecurity risks, associated with use of a specific device and what alternative device options exist?
  3. What default security settings are there to protect the user?
  4. What are the cybersecurity implications of changes to the device settings?
  5. When and how does the device connect to the internet?
  6. What data is collected by the device, where does it go, and who has access to it?
  7. How can a user tell if a device has been hacked or compromised and who can they talk to if this is suspected?
  8. Who should the user talk to if they learn about vulnerabilities that might affect the device?
  9. What does the user need to do to maintain the device (e.g. software updates)?
  10. How do I report a known or suspected cybersecurity breach via a medical device to my healthcare professional and the manufacturer?

9. What are some emerging trends in medical device security?

There is a great infographic that was issued by ENISA (EU Agency for Cybersecurity) that really captures what will be dealing with in the foreseeable future, whether in the medical device security or cybersecurity in general:

  1. Supply Chain Cybersecurity
  2. Disinformation Campaigns
  3. Digital Surveillance
  4. Legacy Systems Exploitation
  5. Enhanced Targeted Attacks
  6. Lack of Communication Control
  7. Advanced Hybrid Threats
  8. Skill Shortage
  9. Cross Border Issues
  10. Artificial Intelligence

10. Any other comments?

Technology is revolutionising the way we do business and behave. The emergence of artificial intelligence (AI) as a tool for better health care offers unprecedented opportunities to improve patient and clinical team outcomes, reduce costs, and impact population health. The cost for storing and managing data, data collection via electronic health records, and exponential consumer health data generation have rendered most healthcare ecosystems as data-rich targets. The prevalent use of AI and the emerging regulatory landscape has led to an increased need for standards to define good practice and provide guidance to improve trust and market adoption. The International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC) are developing AI standards, including defining key terminology and concepts, risk management, governance implications, data quality, and various topics related to trustworthiness.

Nonetheless, AI security cannot be considered in isolation of existing risk-based security, privacy, and governance foundations, which can address many of the threats that arise using AI systems.

--Issue 60--