Have we learned anything from medtech security breaches?

Medical Plastics News editor Laura Hughes asks why medical device cybersecurity still continues to be a headache for medtech designers, despite years of scandals.

As we move in to progressively more digital times, we see connected technology taking over more and more of our everyday activities – and of course, that includes our health management.

But some in the medical device and tech industries believe that healthcare providers and manufacturers are not working together effectively enough to mitigate the risk.

Carolyn Crandall, chief deception officer at Attvio Networks, a specialist in emerging cybersecurity technology, believes that stakeholders on both sides could be more proactive when it comes to the cybersecurity of medical devices. Crandall told Medical Plastics News that the topic is a source of friction between device manufacturers and healthcare providers.

According to Crandall: “If a business buys the equipment, they know that they have to manage their security. They’ve accepted that they’ve got to build defences and a strategy to try and protect their networks.

“[However] this is an investment that healthcare providers have not always sufficiently made.”

She believes that questions remain unanswered regarding who owns the devices, and who is responsible for ensuring the systems are secure.

In an article for MPN online, explaining the FDA’s stance on the issue of cybersecurity, Anita Finnegan, founder and leader of Nova Leah, a firm that develops risk assessment software for medtech, said there are ways to combat the continuously changing nature of the threat:

“Manufacturers can do this by building-in security controls during the product design phase and by continuously monitoring devices to address on-going cybersecurity concerns, […] The onus is now very much on medical device manufacturers to adopt a proactive and vigilant approach to evolving cybersecurity threats and vulnerabilities when designing, developing and maintaining the security of their medical devices.

Nova Leah’s system, for example, aims to support medical device manufacturers by ensuring the design, verification and certification of a medical device meet industry security standards.

Despite the positive conversations taking place, cybersecurity continues to be one the biggest challenges for connected medtech. Most recently the healthcare sector made the headlines, and once again it was for all the wrong reasons, following a data breach for Quest Diagnostics, an American clinical laboratory. In the wake of the personal information of millions of patients being exposed, Dr. Teow-Hin Ngair, CEO of SecureAge, a government and enterprise data security and encryption provider commented: “This is not the first time the healthcare industry has seen a breach in client information. One of the fundamental issues is that medical agencies, providers and hospitals aren’t making cybersecurity enough of a priority in general.

“This could stem from the fact that lost patient records do not really impact their business directly – and they don’t lose any money directly resulting from patient record breaches. Unless more regulations are put in place, this will continue to be a recurring issue.”

The Quest Diagnostics story actually emerged from a vulnerability in the lab’s billing system, rather than from a medical device. However, it’s the latest in a string of scandals that demonstrate how the connected care ecosystem still remains dangerously open to attack. Stories like this need to be seen as lessons learned - drivers for change in medical device design considerations.

For example, in a guest contribution for our sister title Med-Tech Innovation News, Stacie Hoffmann from the UK’s IoT Security Foundation made the point that even since Medtronic’s high profile case involving an implantable defibrillator which was found to be vulnerable to malware attacks, many medical devices have still not adopted basic security practices such as hard-coded passwords.

Hoffmann believes that there are 17 key considerations that must be factored in to medical device design. Included among these are end-to-end encrypted data communications, as well as the avoidance of unsupported operating system versions in boundaryless architecture.

So, what does this all mean for manufacturers of medical devices? With confusion remaining around who is actually responsible for managing cyber threats, each person and organisation involved within the supply chain needs to take responsibility for the product when they are involved. The good news is, more and more experts on both sides (industry and clinical) are starting to release practical guidance to support in the design process.