In 2021, an employee at Ireland’s public health and social services system—the Irish Health Services Executive (HSE)—opened a spreadsheet that was sent by email. The file contained malware. After two months of free access to the network, the attackers released ransomware into the system. As the BBC reports, the impact was devastating. More than 80% of the organization’s IT infrastructure was affected, and thousands of patients’ care was disrupted.
Unfortunately, attacks like these are all too common. Bad actors recognize an opportunity when they see one. And hospitals and healthcare facilities are among the most vulnerable to attacks, due to aging equipment, understaffed IT departments and a false sense of security. After all, who would hack a hospital? Turns out, many people would. Purely for the money.
Holding a healthcare system hostage with ransomware can deliver swift and lucrative returns for attackers. In the US, patient medical records are up to 50 times more valuable than credit card numbers. In Europe, violations of GDPR regulations can carry hefty fines. The financial consequences alone make medical device protection a necessity, let alone the risk for patients.
The Turning Tides
In 2021, there were a record number of ransomware attacks on health care, and while the average pay-out to attackers in the US was around $197K, the average cost of recovery per incident was $1.85M. And the hospitals are only able to recover around 65% of their data after an attack.
The tide finally began to turn in 2022, as we saw a shift not only in awareness in the medical industry about the importance of cybersecurity, but also in more decisive action from legislators to help increase cybersecurity and close gaps in medical device protection. As in most other industries, cybersecurity in health care is anything but simple. But significant changes can be expected in the coming years.
Legal and Regulatory Action
By their nature, medical devices—especially hospital equipment like CT scanners, MRI machines, X-ray equipment and the like—are expensive and built to last a long time. Most of the equipment is either unequipped for software and security updates, or the work is simply not done, due to the typically small IT security staff, the continued use of the devices, and the vast amount of equipment that needs to be monitored and updated. The long life of these machines also means that rectifying the shortcomings will be no easy task. Still, there are steps in the right direction.
Governments around the globe are intensifying their scrutiny—and regulation—of Medical Device Manufacturers (MDMs), starting with Software Bill of Materials (SBOM) requirements that will push MDMs to be more attentive to security threats during development and more vigilant about security throughout the device’s lifetime. In addition, the European Union’s Medical Devices Regulation (MDR) is four times longer than its predecessor, the Medical Device Directive (MDD), and contains a vast amount more safety and data security regulations. When the regulation takes effect, unless an MDD-certified device is certified under MDR, it will be excluded from the market. In addition, the International Medical Device Regulators Forum (IMDRF) has issued new guidance related to cybersecurity that will further modify cybersecurity activities under MDR.
Lastly, the FDA is revising its medical device security guidelines, including the Quality Systems Consideration and Content of Premarket Submissions. While it will take the industry some time to implement the practices required in these soon-to-be-published guidelines, their mere existence is an important step.
Perhaps most importantly, the entire industry is being called to accountability. Every stakeholder is now responsible for engaging in the ongoing process of cybersecurity improvement across all product lifecycles. And directives like NIS2 are essential to compel companies to report and register significant attacks. The more transparency and accountability in place, the more secure the industry becomes.
As positive as these legislative developments are, there is still concern for device designers and manufacturers. Oftentimes, major innovation in medical devices happens at a small start-up or a medium-sized MedTech company. To remain viable in this heavily competitive market, SMEs often don’t have the funds to invest deeply in cybersecurity staff or to ask the right questions about what is possible with their devices. Complying with these new regulations and required activities, therefore, requires external cybersecurity expertise and thorough investigation by qualified experts.
With SBOM, MDR and related regulations threatening to slow innovation and time to market, SMEs are looking for answers. And cybersecurity experts can help with services such as pen testing and threat modelling, as well as managed service designed to meet the NIS2 directive. This helps ensure that MDMs are informing stakeholders of security issues, including vulnerabilities and breeches, through trusted channels and well within the directive’s parameters.
What’s more, as devices continue to evolve and the medical community uncovers how to best utilize AI and Machine Learning to advance diagnostic assistance, qualified second opinions and other medical support, device designers will need to continuously consider the security risks and defend against them.
Still, the weakest link in the security chain remains the human one. A single employee opening a single email attachment shut down the entire Irish public health care system. IT professionals in clinics and hospitals often lose track of the number of devices connected to their networks simply due to the sheer volume of devices, and healthcare administrators can’t afford to replace equipment that functions perfectly but offers sub-par security. Therefore, ongoing training is essential to better protect the medical industry.
While there is plenty to do today to make systems more secure, no connected system is ever 100% safe. And the current geopolitical climate is increasing the risk of cyber attacks. It is certainly possible for nation-state actors to infect hardware systems with malware, simply to undermine infrastructure in their target region. Hackers will never stop trying to profit off vulnerabilities to make a fast buck. Nothing short of a Zero Trust Architecture and constant vigilance will help the medical device industry prepare for and defend against attacks and properly recover if and when they occur.
Still, there is reason to be optimistic. As awareness increases and regulations take effect, great momentum is building in the device industry. Security is top of mind and MDMs are reaching out to security experts to take swift and definitive action to plug up as many holes as possible, keep their devices secure and protect crucial patient data and public infrastructure. And, while 2023 may be a year of transition and adjustment, the years beyond will likely offer vastly more secure medical devices than any we have ever seen before.