Increasing connectivity of medical devices to computer networks and the convergence of technologies has exposed vulnerable devices and software applications to incidents. The need to protect patient data from cyber-attack is now well understood. However, the potential impact on clinical care and patient safety is raising concerns for healthcare organizations, regulators and medical device manufacturers alike. Control of a medical device could also be compromised.
This paper considers the cybersecurity challenges facing the healthcare sector arising from the convergence of technology, hyper-connectivity and recent developments in regulation. It explains the issues and tensions between safety and security and what can be done to resolve them. The paper highlights emerging good practice and approaches that manufacturers can take to improve medical device security throughout its lifecycle. The paper will also be of interest to others in the sector, including healthcare providers, IT suppliers, notified bodies and regulators. They will recognize the requirement to address security explicitly throughout the product/system lifecycle, including design, procurement, monitoring/auditing and during operation, particularly when the inevitable cyber incident occurs.
There has been exponential growth in types of medical devices, often connected to smart devices such as mobile phones, tablet computers and wearable devices, which also run medical applications/software. These devices are already found in homes today. The inherent security risk with medical devices is that they can potentially expose both data and control of the device itself. This raises a tension between safety and security, which requires greater stakeholder collaboration to address, particularly in design and regulatory approaches. These stakeholders now include regulators, device manufacturers, healthcare organizations, IT suppliers, and patients themselves.
Risks are set to increase further with adoption of the Internet of Things (IoT) by healthcare organizations and consumers. The convergence of networking, computing technology and software has enabled increasing integration of Hospital Enterprise Systems/Information Technology (IT) and Clinical Engineering (CE), and suppliers through remote connectivity. This will be revolutionized by cloud based services and the use of ‘big’ data analytics.
The domain silos of IT and CE are being bridged by networking, exposing cybersecurity weakness and exacerbated by poor stakeholder communication, legacy technology, security vulnerabilities and inadequate device management. Medical device engineering has focused upon medical safety to safeguard patients, but has not sufficiently addressed cybersecurity, despite innovation. In fact, technology convergence is creating new attack pathways and cybersecurity risks with the implementation of new technology, yet older medical devices continue to be utilized, which are often not secure and are poorly managed. Increased connectivity, wireless technologies and ‘hyper-connectivity’ continues to create new opportunities for service delivery, remote monitoring and diagnostics, but may also create unforeseen consequences. Cyber incidents arising from potential adversaries, who may inflict cyber-attacks, have significantly increased.
Medical device security has become the primary healthcare security concern following a number of high profile incidents. Justifiably, given a device infected with malware has the potential to shut down hospital operations, expose sensitive patient information, compromise other connected devices and harm patients.
New approaches to dealing with increasing cybersecurity threats have recommended all parties collaborate to identify and assess cyber risks and threats, plan mitigations and appropriate incident response to ensure patient safety and security.