Increased use of telehealth, forced by the global COVID-19 pandemic, arrived at a time when heightened connectivity of medical devices to computer networks and a convergence of technologies already exposed devices and software applications to a variety of threats. The need to protect patient data from cyberattacks is well understood, but the potential risks from such hacking for clinical care and patient safety haven’t been addressed adequately by healthcare organizations, regulators and medical device manufacturers.
The inherent security risk with medical devices is that they can potentially expose both data and control of the device itself to attack. This exposure creates a tension between safety and security, which requires greater stakeholder collaboration to address, particularly in design and regulatory approaches. Put simply, medical device engineering has focused on medical safety for patients but has not sufficiently dealt with cybersecurity for the devices, despite some innovation.
In the age of telemedicine and increased cybersecurity risk, how can healthcare organizations, regulators, medical device manufacturers and consumers ensure their safety?
In 2020, the telehealth market is experiencing a tsunami of growth, and Frost & Sullivan forecasts a year-over-year expansion rate of 64.3% in the United States. “The challenges presented by the COVID-19 pandemic have obliterated the normal growth sequence for telehealth,” the consulting firm said in an April 2020 report.
The unexpected dependence on telehealth this year, in tandem with the increased network connectivity of medical devices and converging technologies, has exposed vulnerable devices and software applications to cyber incidents.
Risks are expected to continue to increase with the gradual adoption of the Internet of Things (IoT), or connected devices, by healthcare organizations and consumers. All these factors have enabled increasing integration of hospital enterprise systems/information technology (IT), clinical engineering (CE) and suppliers through remote connectivity. This increased adoption will be revolutionized further by cloud-based services and the use of big data analytics.
The domain silos of hospital enterprise systems/information technology and clinical engineering are being bridged by networking, exposing cybersecurity weaknesses, and revealing poor stakeholder communication, legacy technology, security vulnerabilities and inadequate device management. Medical device engineering up to now has focused more on patients’ medical safety. In fact, technology convergence is creating new attack pathways and cybersecurity risks as older, less secure medical devices continue to be used. For example, newer devices using older Bluetooth protocols such as blood glucose monitors, pulse oximeters or asthma inhalers could all be affected and provide inaccurate results.
Increased connectivity, wireless technologies, and “hyper-connectivity” often create positive new opportunities for service delivery, remote monitoring and diagnostics, but may also foster unforeseen consequences.
According to the U.S. Department of Health and Human Services, “there has been an increase in cybersecurity breaches in hospitals and healthcare providers’ networks which may be due to COVID-19. Between the months of February and May of this year, there have been 132 reported breaches, an almost 50% increase in reported breaches during the same time last year,” according to Healthcare Finance.
Threats come from several sources and can be categorized as adversarial, natural (including system complexity, human error, accidents and equipment failures) and natural disasters. Adversarial groups or individuals, also known as “threat actors,” have varying capabilities, motives and resources.
One example, familiar to many in the security industry: Non-profit hospital system MedStar Health in 2016 received a cyber ransom note from hackers demanding a bitcoin payment to ensure Medstar’s continued access to its encrypted computer systems.
Notifications were displayed on infected computers, threatening loss of data after 10 days. Patient records for 10 hospitals and 250 outpatient centers were reported to be either unavailable and or could not be updated, and MedStar relied on paper backup systems. Patient operations were cancelled, and ambulances diverted. Nurses and doctors highlighted safety issues, from treatment delays to problems with test results and the administering of medication before normal operations could be resumed.
With connected medical devices, there is an increased vulnerability due to their connectivity to the internet, hospital networks, other medical devices, mobile computing and phones.
To increase patient protections, health IT providers and medical device manufacturers need to plan for the worst, asking tough questions such as:
Medical device security has become a primary healthcare security concern after several high-profile incidents like the Medstar aggression. Justifiably so, given that a device infected with malware has the potential to shut down hospital operations, expose sensitive patient information, compromise other connected devices—and harm patients. Medical device manufacturers and healthcare organizations need to move swiftly to implement safeguards to reduce the risk of failure or misuse in the event of a cyberattack.
A common issue in IoT and medical device technology is the limitations found in hardware resources, power, memory and CPU. Ensuring the device can perform robust and resilient secure communications means implementing light-weight mutual authentication mechanisms that provide authenticity of the devices and server, in addition to simply encrypting the communications.
IoT device manufacturers should also avoid using a “Security Through Obscurity” approach or assuming that proprietary and obscure protocols are enough to avoid attention. For example, the Low Power Wide Area Networks (LPWANs) that connect IoT devices are wildly different from the 802.11 WiFi networks that are part of our everyday experience. But the more obscure protocols such as Long Range Wide Area Network (LoRaWAN) that power the communication of IoT devices are still vulnerable to replay and denial of service attacks.
With the sensitivity of medical devices to cybersecurity breaches so obvious in uncertain times, how can healthcare providers ensure safety?
One way could be leveraging well-recognized standards like BS EN ISO 14971: 2019 Medical Devices – Application of Risk Management to Medical Devices. Recognized by regulatory authorities globally, this standard guides medical device manufacturers to establish, document and maintain a systematic risk management process across the lifecycle of a medical device.
Use of the standard helps streamline the regulatory processes for entry to selected markets. It’s meant for all parts of the medical device industry, and organizations dealing with the design, development, production, installation or servicing of medical equipment, devices and technology. The standard’s process helps device manufacturers identify the hazards associated with a medical device, estimate and evaluate associated risks and control them, then monitor the effectiveness of the controls.
Another defense can be performing security risk assessments that don’t just focus on patient information as the primary asset to be defended. Instead, healthcare providers should explicitly consider the outcomes, systems and processes for which the information is used. A balance needs to be achieved among safety, security and privacy. Hospitals and healthcare facilities should also consider augmenting their HIPAA compliance with ISO 27799:2016 Health informatics – Information security management in health using ISO/IEC 27002, which provides guidance for a set of controls that can be effectively used for managing health information security. Applied to ISO 27002:2013 Information technology – Security techniques – Code of practice for information security controls , the controls that need to be considered when implementing a system to manage the security of the organization’s information, ISO 27799 speaks particularly to securely managing health informatics.
It’s clear medical device manufacturers, and healthcare organizations implement, or ensure they consistently update, safeguards to reduce the risk of failure or misuse in the event of a cyberattack, especially when telehealth’s use is rising during the pandemic. However, by leveraging industry standards, organizations can help inoculate against cyberthreats from malicious actors and user error alike.
Ultimately, any device in the medical ecosystem can be a stepping stone that a malicious actor can use to gain access to patient data, an in the end, medical devices and IoT systems are just computers. The basics of patching, least privilege, and monitoring still apply.