Medical Device Cybersecurity: It Takes a Village

Medical Device Cybersecurity: It Takes a Village

It seems that not a month goes by without a cybersecurity incident that seriously impacts a community healthcare provider.  This may be a Phishing scheme that results in tens of thousands of patient medical records becoming compromised, or it can be ransomware attack where the system storing the EMR becomes encrypted, potentially crippling the delivery of care.  In an extreme example, the California provider Wood Ranch Medical decided to close its doors at the end of the year after hackers completely wiped computer systems and backup drives.  The challenge is exacerbated by implementation of the Internet of Things (IoT), where hospitals now have 10 to 15 connected devices per bed.  These devices do not have firewalls or the ability to detect malware.  For example, 48 UK hospitals were significantly impacted by the WannaCry ransomware attack in May 2017.  Vital medical device equipment such as MRI scanners and X-ray machines had to be taken offline, resulting in the cancellation of many patient procedures and appointments.

Many health IT executives have operated under the false impression that their medical practice or hospital are not significant enough to become a target.  Unfortunately, organizations can now become collateral damage of indiscriminate attacks that have been characterized as acts of war. A prime example is the NotPetya cyberattack that occurred in June of 2017.  On the surface, this appeared to be a variation of the Petya ransomware that was first discovered in 2016.  This strain was designed to spread across computer networks at an extraordinarily rapid rate.  One network of a large Ukrainian bank was wiped out in 45 seconds and a portion of a major Ukrainian transit hub was down in under 16 seconds.  Worse yet, the virus was a data wiper by design.  There was no ransom that could be paid to recover the encrypted information.  The financial losses were enormous:  $870 million for Merck Pharmaceutical company, $400 million for FedEx, $384 million for Saint-Gobain French Construction company, $300 million for Maersk Danish shipping company, and the list goes on.  The White House estimated the global impact of the virus topped $10 billion.

So, can this be viewed as a health IT problem as opposed to a Medical Device problem? 

Well, not really.  In the case of Notpetya, the virus takes advantage of a vulnerability in Windows that permits unauthorized code to run on the machine.  Prior to the outbreak, Microsoft had released a patch that closed the security hole in the operating system.  Unfortunately, the virus leverages shared network credentials from an unpatched machine in order to gain access to other machines on the network, whether the OS was patched or not.  Networks were impervious to the virus only if the latest security patches from Microsoft were fully deployed on each machine in the network.  Any machine could serve as the potential access point to bring down the entire network, whether a Medical Device or otherwise.  Healthcare networks were particularly vulnerable given the tendency to maintain IT equipment for 15+ years when the duration of operating system support is typically under 10 years.  The challenges faced by manufacturers and healthcare facilities alike are very similar from the standpoint of cybersecurity.  Medical Device and Health IT Joint Security Plan released by the Healthcare and Public Health Sector Coordinating Council in January 2019 clearly states that cybersecurity is a shared responsibility across the wide range of healthcare stakeholders.

As bad as the losses were from NotPetya, the damage could have been a lot worse.  By executive order in 2015, the Department of Homeland Security established Information Sharing and Analysis Organizations.  A core mandate of the ISAOs is coordination of cybersecurity information-sharing within the Federal Government and across private sector partner institutions.  Within 24 to 48 hours of the initial attack, a wide range of organizations issued press releases on the root cause and potential defensive measures to avoid outbreaks on company networks.  Medical device manufacturers are encouraged to voluntarily share security vulnerabilities with the other members of the healthcare community.

The Joint Security Plan identified three types of cybersecurity concerns for medical device manufactures:

  1. concerns that impact product availability;
  2. concerns that impact patient privacy; and
  3. concerns that impact patient health.

Medical device availability could be impacted by a denial of service if proper safeguards are not in place to prevent uncontrolled resource consumption.  Patient privacy can be violated when sensitive patient information sent via internet without proper encryption is subsequently exposed to network traffic.  Furthermore, improper data integrity checks can make the system susceptible to a parameter injection potentially altering the delivery of therapy and therefore impacting patient health. The danger is significant enough that some doctors are discussing cybersecurity risk with patients when recommending medical devices.

Moreover, cybersecurity has become an essential component built into the product from the ground up. The International Medical Device Regulators Forum released in October 2019 a draft document of Principles and Practices for Medical Device Cybersecurity.  It underscores the need for cyber secure solutions in the healthcare environment to encompass the entire life cycle from early stage development planning through decommissioning of deployed equipment.

So how should a medical device manufacturer incorporate cybersecurity into patient centered design? 

A clear starting point is to view cybersecurity as another component in sound risk management principles as outlined in ISO 14971.  These steps include:

  1. identifying potential vulnerabilities;
  2. quantifying the associated risks with each vulnerability;
  3. implementing controls to bring risks to an acceptable level and
  4. monitoring the effectiveness of each of the controls.

In this manner, cybersecurity design input requirements may be analyzed in much the same way a manufacturer uses failure mode and effects analysis to assess the likelihood that a power cord is damaged and subsequently could impact patient health.   There is potential interaction between patient safety risk and cyber risk and when control for one is changed, the other must be evaluated to ensure proper control is in place.  In the event of a perceived conflict, patient health and safety have precedence over security.

A key aspect of the successful cyber risk management is in the verification and monitoring of various controls.  This includes applying secured coding and system hardening standards and periodically conducting vulnerability scanning throughout the product development cycle.  Security patches should be made to fix vulnerabilities in various software components both during the product development and deployment phases.  Normally, patches anticipating cybersecurity concerns may be considered a product enhancement or upgrade, and typically do not require FDA notification if residual patient risk is acceptable. FDA guidance Postmarket Management of Cybersecurity in Medical Devices specifies notification when a patient incident occurred or there is an unacceptable risk of patient harm due to inadequate mitigating controls.  The requirements include identifying the impacted devices and providing a remediation plan within 30 days of learning about the vulnerability.    Patch fixes should be made available as soon as possible, but no later than 60 days after alerted to the vulnerability.

The June 2019 Medtronic recall of MiniMed 508 and MinimMed Paradigm insulin pumps is a real-world example of acting upon cybersecurity risk analysis.  A potential vulnerability to hacking was identified whereby an unauthorized person could potentially connect to these devices and change the amount of insulin delivered.  According to the FDA, this may have a dire impact on patient health including hypoglycemia (when too much insulin is delivered), or hyperglycemia and diabetic ketoacidosis (when too little is delivered).  The risk of patient harm is significant if the security vulnerability was left unaddressed.    The recalled devices were first released into market prior to 2013, so do not have the update capabilities as required by the more recent guidelines.  Consequently, Medtronic is providing replacement insulin pumps with advanced cybersecurity capabilities built-in.

So, it takes a village for medical device cybersecurity

The nature of the interconnected devices both within and between healthcare facilities make cybersecurity a concern for each connected device on health IT networks.  Medical device manufacturers have a heightened level of responsibility given the direct and potential significant impact on both patient health and privacy.  Cybersecurity management needs to play a pivotal role in the full life-cycle of Medical device design and deployment.  However, like other aspects of software engineering such as UX/UI, it is no longer a product differentiator when built according to best practices.  Cybersecurity is not the secret sauce that provides a competitive advantage when done right.  But, a security failure may become very costly for a manufacturer and become a competitive disadvantage in the long term.  For over 30 years, Syncro Medical has understood the importance of building reliable products for the healthcare “village”.  Syncro Medical incorporates cybersecurity methodology from project start to finish and security is baked-in all of our mobile, device, desktop and web solutions.  Let us develop your secure product so you can focus on making it stand out in your marketplace.

Comments are closed.