The sensitive and private nature of patient data means cyber security is a particularly important issue in the medical device industry. Jamie Bell takes a look at why regulatory bodies are emphasising the need for companies to safeguard their technologies.
Cyber security in medical devices – or lack thereof – became a pressing concern for the healthcare industry following an attack on the NHS in 2017.
The WannaCry cyber-attack targeted computers across the world using Microsoft’s Windows system, encrypting people’s data and demanding payments in the cryptocurrency Bitcoin before allowing access to it.
Ransomware attacks like this involve cyber criminals threatening to publish the victim’s data, or deny access to it unless a financial sum is paid.
David Brown, medical device analyst for GlobalData, says the hackers behind WannaCry cancelled tens of thousands of GP appointments and diverted NHS ambulances away from the destinations they were heading to.
He adds: “While this likely didn’t cause much more than an annoyance for most, it is entirely possible that patient safety could be put at risk, especially if optimal ambulance routes are not able to be used.”
The National Cyber Security Centre (NCSC) said it was “highly likely” the WannaCry attack was carried out by the Lazarus Group – a North Korean cyber organisation.
More severe cyber security concerns for the medical device industry
Despite this warning shot, the following year the UK government’s Department of Health (DoH) tested the cyber defences of 200 NHS trusts – and every single one failed to meet the required standard.
Then, in April 2018, the US Food and Drug Administration (FDA) recalled two of American healthcare company Abbott’s defibrillator models after finding a potential vulnerability in their cyber security systems.
The FDA reported these vulnerabilities could allow a cyber-attacker to access the devices and rapidly deplete their battery stores – or even issue improper cardiac pacing commands.
A second cyber security scare came in early 2019 when an Israeli research group at the Ben-Gurion University of the Negev developed malware that could allow attackers to add realistic images of malignant tumours into CT or MRI scans before doctors had examined them.
Worse still, they proved the same malware was able to remove real cancerous tumours from these images, which could lead to serious misdiagnosis and prevent patients receiving urgent critical care or surgery.
Thankfully the group merely developed this malware to highlight the need for improved cyber security in the healthcare sector, and had no intention of ever using it maliciously – but Brown says this research still demonstrates that attackers can seriously harm patients.
Now, regulatory bodies like the FDA seem to be taking the problem of cyber-attacks more seriously.
How are regulators clamping down on medical device cyber security threats?
In 2018, the FDA worked alongside the Mitre Corporation – an American not-for-profit organisation – to launch a cyber security playbook, with the aim of helping healthcare providers safeguard their technologies.
It states that medical device manufacturers are responsible for remaining vigilant about identifying cyber security risks associated with their medical devices – which includes putting appropriate mitigations in place to address patient safety risks and ensure proper device performance.
The playbook also contains a number of safety communications providing examples of ways in which companies can reduce the risk of unauthorised access to their medical devices.
It also encourages all manufacturers in the healthcare and medical device industries to report any cyber security issues to the FDA.
Brown believes the playbook is a “positive and practical launch pad” that ensures cyber security is central to these industries.
He adds: “Most vulnerabilities that are exploited come from out-of-date software, old equipment, and improperly designed IT and network systems.
“I see this playbook as a good start to a change in healthcare culture that takes cyber security seriously at all levels of care.
“If this is widely adopted, it will help create an environment that integrates device manufacturers, healthcare delivery organisations and the government to allow more robust and rapid responses to varying threats.”
Similarly, in December 2018, European Union negotiators reached a political agreement to reinforce the mandate of the EU Agency for Cybersecurity.
The aim of this was to better support EU member states in tackling cyber threats and attacks – while also establishing a certification framework, meaning all medical devices and connected technologies in the internet of things must reach a certain standard to be considered “cyber-secure”.
Is there still room for improvement in safeguarding medical devices?
Despite the attitude towards cyber security in the medical devices sector beginning to shift, there are still issues surrounding smart devices.
While these technologies provide improved connectivity and easier transfer of data in the cloud, their communication channels are seen as more open to cyber criminals.
A study by American cyber security company Carbon Black found there were more than eight attempted cyber-attacks per connected healthcare endpoint each month in 2018.
The study also found that 83% of the healthcare organisations surveyed had witnessed an increase in cyber-attacks in the past year.
While stealing highly sensitive patient data is often the intent of cyber-attackers, Carbon Black also found nearly half the organisations it surveyed had witnessed online attacks where destroying data was the main motive.
Medical Device Developments editor Emma Green also believes the industry has a long way to go before reaching the required level of cyber security.
She says: “I think that the rapid pace of technological development means the industry gets so excited about its potential that cyber security often gets overlooked.
“In addition, the drive for connected healthcare also means that systems are more vulnerable to cyber-attacks.
“More definitely needs to be done – patients, hospitals, regulators, and manufacturers need to make the software and cyber security content of new devices more accessible and generate innovative solutions to cyber security issues.”