Healthcare cyber security - safe and secure or an open door?

As medical devices become increasingly integrated, the healthcare business will be transformed. Medical professionals have a whole new world of data right at their fingertips, while patients can be monitored from home, potentially making routine check-ups a thing of the past.

This is changing healthcare as we know it, but it also exposes the people who use connected devices to hazards that did not previously exist. The medical device industry must therefore be fully prepared to address the risks inherent in digitisation - software safety, device security and data privacy. Worst case scenario, a design flaw could be the difference between life and death.

The advantages of digitisation all lead to improved patient outcomes through:

• Improved diagnosis and treatment
• Enhanced health and disease management
• Improved drug management
• Remote monitoring
• Cost savings
• A value-added patient experience
• A faster and more efficient interaction between patients and doctors
• New business models for medical device manufacturers as well as for operators

But the risks include:

• Data privacy – ensuring that patient data is secure
• Device security – how hackable is the system or device?
• Unintended consequences (inappropriate pacing or shocks)
• Data integrity (tele-medicine?)

Remote access systems are a common cyber attack target because often not all of the risks associated with a remote connection, and the usability of them by third parties, are taken into consideration. Systems intended to meet legitimate needs, such as allowing off-site clinicians to access clinical data or vendors to troubleshoot systems, can be exploited for illegitimate purposes.

There are therefore multiple regulatory, ethical and business reasons to ensure that all digital healthcare and medical devices are thoroughly tested and secure. This includes compliance with global regulatory requirements, such as the In Vitro Diagnostic Medical Device Regulation (IVDR), the In Vitro Diagnostic Medical Device Directive (IVDD), the Medical Device Regulation (MDR) in the EU; as well as the regional requirements of the US FDA, China FDA and the Japan Ministry of Health and Welfare.

Of course, privacy is extremely important for patient confidentiality and a breach would undermine that practitioner-patient trust and potentially have legal implications. More seriously, unauthorised access to medical devices could result in death or severe injury, so manufacturers and medical device procurement teams must ensure the technology is secure. If they fail to ensure medical device cyber security, this could result in significant reputational damage for device manufacturers and healthcare organisations that use insecure technology.

What standards to follow?

Despite the obvious requirement for protection of data confidentiality, integrity and availability, there are still no harmonised standards for the cyber security of medical devices. However, the FDA, EU and Health Canada are working on standards and guidance documents that will indicate the need to consider vulnerability scans and penetration tests during the development of medical devices. There are also some existing standards and very useful guidance that relate in some way to cyber security:

• UL 2900-2-1- The USA Food & Drug
  Administration’s cyber security aid for industry and regulators
• IEC/TR 60601-4-5 - safety related technical security specifications for medical devices (currently under development)
• IEC 80001-5-1 - Application of risk management for IT-networks incorporating medical devices (currently under development)
• MDCG 2019-16 - Guidance on Cyber security for Medical Devices, which is one of the most important guidelines for MDR implementation

To prevent the need for rework, some of the requirements should be tested early in the process. While there is currently no law that requires a vulnerability scan to be done, most guidance documents indicate that it should be conducted. It is therefore up to manufacturers to prove due diligence – that they have taken appropriate actions to bring safe products onto the market. Designers and manufacturers should therefore have a good case prepared if they decide to skip it. The same applies for penetration tests.

In Europe the MDR states that ‘for devices that incorporate software or for software that are devices in themselves, the software shall be developed…in accordance with the state of the art taking into account the principles of …information security… ’ ‘the solutions adopted by the manufacturer for the design and construction of the devices must conform to safety principles, taking account of the generally acknowledged state of the art’.

The EU’s MDCG 2019-16 Guidance on Cyber security for Medical Devices document provides manufacturers with guidance on how to fulfil all the relevant essential requirements of Annex I to the MDR and IVDR regarding cyber security. The two Regulations require that devices are fit for the new technological challenges linked to cyber security risks, with new essential safety requirements for all medical devices that incorporate electronic programmable systems and software that are medical devices in themselves. The two regulations now require manufacturers to develop and manufacture their products in accordance with the state-of-the-art, taking into account the principles of risk management, including information security, as well as to set out minimum requirements concerning IT security measures, including protection against unauthorised access.

Cyber security requirements listed in Annex I of the MDR, deal with both pre-market and post-market aspects. Key concepts involved in IT security specifically for medical devices are:

• Confidentiality of information at rest and in transit
• Integrity, which is necessary to ensure information authenticity and accuracy (i.e. non-repudiation)
• Availability of the processes, devices, data, and connected systems

When assessing risks in accordance with Annex I of the MDR, it is important to include security issues in the risk assessment, even in cases where security is not stated explicitly in the Regulations’ requirements. During the risk management process, the manufacturer should foresee or evaluate the potential exploitation of those security vulnerabilities that may be a result of reasonably foreseeable misuse.

During the product security risk management process, manufacturers must distinguish two important areas:

• Safety risk management normally covered in the overall product risk management
• Security risk, which is not associated to safety

Cyber security must be based on a well-structured development and testing process. For example, after any software changes a vulnerability scan or penetration test should be repeated, at least partly. Manufacturers must also consider security related tests regarding the change, as well as conduct regression tests which show that the change did not have a negative effect on the cyber security of the device.

Manufacturers can conduct their own tests, but they must have the appropriate competences within the organisation. They must therefore ensure and demonstrate that they have enough expertise to ensure IT security in line with the state of the art. This evidence is often most easily obtained through internal or external training. In this way, manufacturers can also access the expertise of external resources.

Taking healthcare out of the hospital

There is an increasing demand for homecare in the case of chronic conditions that require regular monitoring. For example, while new technology can grant patients the freedom to live at home while being monitored, many security assumptions are based on a hospital or clinical environment, including:

• Control of local communications infrastructure (device communicates with bed stand or a local gateway)
• IT support
• Native protocols (unencrypted communications, as in some 2016 pacemakers)
• Lack of knowledge about the ease with which hardware (such as firmware flashing devices) may be procured

Consequently, there are many cyber security vulnerabilities within connected healthcare products as they have limited encryption capabilities. Authentication mechanisms are lacking or entirely absent, as there is no de facto standard for authentication.

Wireless communication exposes patients to eavesdropping, especially by introducing vulnerability to social engineering at point of service via the patients themselves or their carers and nurses, for example. This is where cyber criminals use psychological manipulation to trick users into making security mistakes or to give away sensitive information. However, companies often neglect their staff’s IT security training, even though social engineering has long been a standard weapon in every cyber criminal’s arsenal.

Best practice considerations

While there are some standards and industry guidance available globally, they are not complete and ratified, neither are they mandatory. However, these do represent a first line of defence, and as a first step designers and manufacturers should think ‘secure by design’ and take a proactive approach to cyber security, recognising that attacks are ‘when not if’. It is also vital to keep up to date with standards and regulations to ensure that they are working to the ‘state of the art’. Likewise, by following developments of testing frameworks, this will provide a guided, robust and cost-effective solution, alongside participating in appropriate standards workshops (for example CEN-CENELEC events for European Standards).

While, digitisation and the increasing connectivity provided by the IoMT bring enormous opportunities, unforeseeable risks and serious vulnerabilities can be exploited by new forms of cyber crime. Security that is tolerant of implant, wearable, mobile-connected, and public-network-using devices is therefore paramount. Remember, there are no ‘bad user behaviours’, only scenarios that the designer or manufacturer has failed to identify. Neither should patients be expected to shoulder any additional burden for security as it is the manufacturers’ sole responsibility to ensure up to date compliance with all standards and constantly review the ‘cyber resistance’ status of devices.

In order to harness these opportunities successfully, designers and manufacturers must be fully aware of the new challenges and take steps to minimise the risks that potentially threaten their business. Ongoing investment in cyber security is therefore crucial to keep up with both technological developments for competitive advantage, alongside effective measures to combat hacker attacks.