Medical devices are a revolutionary aspect of healthcare – they connect doctors and patients, help diagnose and treat diseases. Some – like ECMO machines or pacemakers – prolong the life expectancy by 10-20 years.
On the flip side, it’s clear that once medical devices become commonplace, hackers will explore ways to attack them and use healthcare tools to blackmail hospital managers or public officials, get access to sensitive data, or blackmail influential figures by grabbing ahold of their healthcare records.
To make sure medical device manufacturers and healthcare facility managers understand the importance of cybersecurity, the Food and Drug Administration released a set of guidelines that help device manufacturers and principal software engineer teams protect caretakers’ data and create a safe environment at hospitals and wellness centers.
In the post, you’ll find out how to achieve cybersecurity compliance with FDA, what are the differences in regulations within the US and European Union, and how the protective mechanisms of medical devices are going to improve in the future.
Why Medical Device Cybersecurity Is Important
Lately, regulating organs have been strictly monitoring cybersecurity compliance. In the UK, a governmental-level warning was issued once it came in the clear that not a single out of 200 tested NHS trusts met cybersecurity standards.
In 2018, the FDA prohibited the usage of two Abbott defibrillator models after attack vulnerabilities were detected in both.
What’s with the need for heightened cybersecurity? Here’s why governments all over the world are tightening the grip on medical device safety monitoring:
- Increasing patient anxiety. As people become more aware of the importance of personal data and malicious ways to use it, they want to be confident that their medical data is processed and stored in a secure and reliable way. By failing to meet cybersecurity standards, medical device manufacturers would have to deal with a rising amount of patient inquiries and, possibly, lawsuits.
- The stakes are high. Most healthcare devices deal with human lives directly. If a pacemaker or an ECMO machine is shut down, a patient will die in a matter of minutes. High-level attack vigilance is essential – otherwise, the odds of attack-induced injuries or death are skyrocketing.
- Keeping doctor-patient confidentiality. Once patient data is disclosed in the open, one of the most important points in medical ethics – doctor-patient-confidentiality – is put in jeopardy. Medical institution managers and regulatory bodies watch out to avoid precedents that could make the medical community doubt the validity of one of the field’s founding principles.
Areas of Cybersecurity Vulnerabilities in Medical Devices
Depending on the goal of the attacker, there are different ways to get full control of a medical device – external, internal, deliberate, or random. Certain components of the device infrastructure are more vulnerable to security threats than others – let’s examine main vulnerability areas:
- Database servers. A lot of medical devices are connected to a database that holds all patient data. Since most data stores run in a single-query-language (SQL) form, such servers are highly vulnerable to SQL injections. Once an attacker gets access to the database, he can copy and delete data or render the data store unavailable. Other than that, third parties can inject foreign data in such a way that it’s indistinguishable from native records.
- Web servers. One of the most common ways to manage a medical device is by connecting it to a web server and using a graphic interface to interact with it. There are plenty of online tools that scan web servers and determine potential vulnerabilities – hackers can use them to get access to the back-end of the equipment.
- Application software. The lack of rigorous pre-release security testing makes third-party tools used to support the device an easy target for hackers. Performance glitches or functional weaknesses of the code often facilitate the process of attack making it easier for intruders to penetrate the system’s built-in protection framework.
Strategies for Minimizing Exposure on Medical Devices
To make sure medical devices are less vulnerable to new attack strategies, manufacturers and software developers need to adopt the following practices for reducing the exposure of their products:
- Updating legacy systems – devices, operating systems, and maintenance software. Before bringing the device to the market, a manufacturer needs to ensure all the components used are less than 5 years old and compatible with one another.
- Improving reporting and feedback loops between manufacturers and healthcare providers to prevent information leaks and report them promptly.
- Setting up security systems – firewalls, VPNs, and data access limitation algorithms.
- Implementing user protection mechanisms – passwords, encryption, and others.
- Embedding data leakage monitoring and protection tools into device management systems.
- Improving the security awareness of patients and healthcare professionals by including cybersecurity guidelines to device manuals and other documentation.
FDA Medical Device Cybersecurity Guidelines
The FDA has the chief role in ensuring and monitoring medical device cybersecurity. The agency connects with device manufacturers, hospitals and other facility managers, and government agencies to ensure data processing safety and reliability.
To set clear cybersecurity rules, the Food and Drug Agency issued a number of documents where it ranked all devices by the risk of attack and determined best practices for manufacturers and healthcare stakeholders to follow.
Tier-one and standard-tier devices
In the Draft of Guidance, released in October 2018 to help manufacturers meet cybersecurity guidelines, the FDA grouped all medical devices into three categories based on connectivity:
- Class III – a device that can be connected to the Internet, a different type of network, or other equipment. The intrusion into such tools can usually harm multiple patients at once. Pacemakers, insulin pumps, or dialysis devices are poster examples of class-three devices. These are the most subject to security risks and are monitored by FDA inspections.
- Class II devices require a pre-market FDA clearance and are liable to the 510 (k) regulation
- Class I devices are low-risk and only require an FDA registration to be brought to market.
Premarket cybersecurity assessment
According to the CFR 21 part 820, all medical device manufacturers need to implement cybersecurity management programs before bringing products to the market. The FDA specifies the required components of a viable risk management framework:
- Monitoring information sources
- Monitoring third-party software tools that a principal software engineer integrates into medical devices and ensuring they introduce no vulnerabilities to the device
- Understanding the impact of potential vulnerabilities and security risks
- A principal software development engineer and the testing team should use threat modeling to understand and recover from security risks.
Assessing the exploitability of the device
Acknowledging the complexity of exploitability assessment, FDA doesn’t recommend establishing the assessment criteria manually. Instead, the Food and Drug Agency suggests using an existing scoring system, such as the “Common Vulnerability Scoring System” (version 3.0), that offers manufacturers the following set of evaluation factors:
- Privileges required to attack – low, high, none
- User interaction – required, none
- Vector of the attack – physical, local, network, adjacent
- Complexity of the attack – low, high
- Scope – unchanged, changed
- Confidentiality impact – none, low, high
- Availability impact – none, low, high
- Report confidence
- Maturity of the exploit code – functional, proof-of-concept, high, unproven
Reporting cybersecurity vulnerabilities
FDA encourages manufacturers to release regular cybersecurity updates – medical device designers should document the practices they employ when working on products, as well as adopt a vulnerability disclosure policy that will help notify healthcare institutions in case a security threat is identified.
The Food and Drug Administration has dedicated reporting forms to stay in touch with manufacturers, caregivers, and patients:
- Manufacturing companies, importers, and facility managers need to follow the Medical Device Reporting Regulation.
- Healthcare professionals don’t have mandatory cybersecurity report requirements – to address security concerns, they can fill in the MedWatch voluntary report form for health professionals.
- Patients are encouraged to address security concerns as well – there’s a dedicated MedWatch voluntary report form for patients/consumers that helps connect with the Administration.
Expected Cybersecurity Improvements for Medical Devices
Since white-hat hackers demonstrated how easy it is to hack pacemakers, dialysis machines, and other medical devices, manufacturers, institution managers, and governments became more aware of the importance of cybersecurity.
We are already seeing the sprouting growth of cybersecurity innovations in the medical device field. Let’s take a closer look at how manufacturers are protecting user data integrity and designing tamper-proof medical devices and what is around the corner for medical tech:
- Abbott Laboratories established the practice of releasing regular security patches to protect the company’s devices from security threats and intrusion
- FDA and Department of Homeland Security stimulated pre-market security testing by releasing respective regulations and guides for manufacturers
- Healthcare organizations start investing in the principal developer salary to create network analytics tools. These platforms help determine when a device is accessed by a suspicious IP and alert the healthcare institution immediately;
- Device manufacturers embrace regular risk assessments, collect tools that enhance cybersecurity threat detection, and increase the security awareness among patients
- Healthcare institutions create environmental safeguards to make sure medical devices are not vulnerable to power outages and other external events.
Recently, a growing number of medical professionals come to understand that cybersecurity is a team effort. It’s crucial to connect all the dots that create safe treatment environments – regulatory agencies, manufacturers, hospital managers, and physicians. The good news is, medical device cybersecurity is recently becoming more structured, easier to oversee and comply with.
In the future, all the stakeholders of the field need to focus on building preventive mechanisms that help ensure that no vulnerable product is brought to the market. Security testing and development with data safety in mind will help create tamper-proof treatment tools. Other than that, healthcare institutions need to collaborate with white-hat hackers that will expose potential vulnerabilities and offer ways to mitigate cybersecurity risks.
Anastasia is a passionate writer and Information Technology enthusiast. She works as a Content Manager at Mobilunity, a provider of dedicated development teams around the globe. She is fond of keeping abreast of the latest news in all areas of technology, Agile project management, and software product growth hacking, at the same time sharing her experience online to help tech startups and companies be up-to-date.