Why Cybersecurity Must Be Part of Medical Device Architecture
Connected medical devices promise value for patients and doctors, but they also present new cybersecurity vulnerabilities that could put patients at risk.
By Mickey Garcia, MDDI Online
September 27, 2017
Medical devices are no longer a stand-alone component in the healthcare ecosystem. More and more devices are network-connected, which often involves interaction through websites and the transmission of sensitive data through wireless components.
Network-connected medical devices promise an entirely new level of value for patients and doctors, but they also introduce new cybersecurity vulnerabilities that could affect clinical operations and put patient care at risk.
Medical device risk management processes need to be revamped to properly identify security vulnerabilities and include countermeasures to mitigate threats. This is no easy undertaking, as cybersecurity in medical devices is a multifaceted problem involving disparate factors. The complexity of cybersecurity along with the recent increase in cyberattacks in healthcare-related industries underscores the need for incorporating cybersecurity early in medical device design and development.
Threats vs. Vulnerabilities
Threat and vulnerability have often been used interchangeably when referring to cybersecurity, but they are not the same. A threat is a malicious action performed by a cyber actor to manipulate computer systems, steal data, or encrypt data and demand ransom for its release. A vulnerability is a weakness in a network, endpoint, device, or operating system that can be discovered and exploited to carry out a threat.
Preventing cybersecurity threats entirely is not possible. The focus of security measures is to reduce the number of vulnerabilities in order to increase the difficulty in breaching your network. If hacking your device or network requires a lot of time and effort, a cyber actor may abandon your site and search for a different target.
Common Vulnerabilities that Can Lead to Threats
More healthcare facilities are benefiting from advanced medical device technology. Still, the security vulnerabilities inherent in connected medical devices opens pathways for threats to the medical devices themselves, the data stored on the devices, and their surrounding network infrastructure. The following are a few vulnerabilities that are commonly exploited.
Hardcoded administrative passwords. These default passwords are used to permit privileged access to devices, such as for service technicians. These passwords cannot be changed by users or even the facility’s system administrator. Discovering these passwords is easy because the same password is often used in the code of multiple devices. If a hardcoded password is used in a system, a cyber actor can identify it and gain administrator access to the device and its data.
Unencrypted data transmitted through wireless connections. It’s common for medical devices to interface with web services that provide a graphical interface for configuring and interacting with the device. Data transmitted through a wireless connection can be intercepted from anywhere in the world. Unencrypted data can be stolen and even modified, resulting in a serious threat to a patient’s safety.
No authenticated access requirement. Medical devices that don’t require the login credentials of preauthorized users are highly vulnerable to cyberattacks. Internet of Things (IoT) technology allows cyber actors to access devices from remote locations, prevent connection to the device, or retrieve patient medication data.
Failure to scan application software for vulnerabilities. Software developers often use pre-written code, called a software library, when developing programs and applications. Medical device application software that includes a software library could have inherent vulnerabilities. Scanning tools are available online that can expose vulnerabilities in software code that hasn’t been tested prior to the device’s deployment.
Traditional Security Measures Are Not Fail-Safe
It might be tempting to trust traditional IT network cybersecurity tools such as antivirus software, intrusion detection systems, and firewalls to handle security for connected devices.
Network cybersecurity detection tools are critical components of IT security and must be kept up to date. Nevertheless, these tools alone cannot fully safeguard connected medical devices that lack embedded security controls.
Antivirus software. This software is designed to prevent, search for, detect, and remove software viruses and malware such as worms, Trojans, and adware. Antivirus software is adequate for catching and blocking viruses; however, cyber actors have the ability to test their malware against the latest antivirus software to learn how to bypass it.
Intrusion detection software. These tools detect and quarantine unauthorized entry to the network, preventing an intruder from accessing confidential data or injecting malware into the system. Cyber actors can sometimes get around these tools by using older malware technology. The network’s intrusion detection software either may not recognize the intrusion or classify it as a minor threat. With numerous threat attempts coming into a network, it’s easy for some intrusions to go undetected.
Firewalls. Firewalls form a barrier between trusted and untrusted network traffic. They often need to work in concert with intrusion detection software to adequately provide the right depth of network security. However, many medical devices are activated on an ad hoc basis so they are not permanently connected to the network. An organization’s firewall management technology may not have the flexibility to handle this type of variation in network traffic.
FDA’s Stance on Cybersecurity
FDA has acknowledged the severity of cybersecurity and has published various alerts and guidance documents regarding cybersecurity risks and patient safety. According to an FDA safety communication “Cybersecurity for Medical Devices and Hospital Networks,” medical device manufacturers should take steps to assure that appropriate safeguards are included in medical devices to reduce the risk of failure due to a cyberattack.
Per FDA’s safety communication, the extent of the safety controls needed in a medical device depend on these factors: the device’s intended use, the presence and intent of its electronic data interfaces, its intended environment, the type of cybersecurity vulnerabilities present, the likelihood the vulnerabilities will be exploited, and the probable risk of patient harm due to a cybersecurity breach.
Address Cybersecurity Challenges During the Design Stage
The need to identify security vulnerabilities and mitigate threats poses new challenges for medical device manufacturing. Security controls include their own risk assessments and requirements that need to harmonize with the device’s safety and efficacy.
Device functionality. Some security controls, such as encrypted data transmission and multilayered authentication are necessary to fend off unauthorized access. However, in some devices, these measures can slow down a medical device’s functionality and reduce its battery life.
Interoperability. The seamless interoperability of medical devices within a network infrastructure is valuable in healthcare environments. But increasing the number of integrated, connected devices increases vulnerabilities and risks of security breaches.
Maintenance and updates. Connected medical devices usually require frequent upgrades and patches, especially for security purposes. These processes need to include a secure method of installing the updated functionality. Certain functionality updates require regulatory recertification and validation, which can impact the timeframe of rolling out patches and updates in the production environment.
Incorporating security controls into a medical device is a gradual and painstaking process that requires careful planning and collaboration with cybersecurity experts. Security is a new stakeholder in medical device development that needs to be included in the device’s architectural risk assessment. Device manufacturers need to ensure that their device does not add more vulnerabilities to a facility’s network.
This article originally appeared in MDDI Online on September 27, 2017.
— — —