Under attack: How safe is your connected medical device?

Lu Rahman examines the growing issue of cybersecurity and medical devices.

The global connected health and wellness devices market is forecast to reach US$612.0 billion by 2024, according to a report by Grand View Research.

As populations start to live longer, healthier lives, the demand for wearables has increased – and will continue if these figures are correct. In recent years patient monitoring has increased with healthcare organisations across the globe looking to improve the patient experience and ease the burden on hospital facilities.

With increased technology comes increased risk. Devices and organisations are vulnerable. Via MPN’s sister site, DigitalHealthAge.com, we regularly report on data breaches in the healthcare sector. The UK’s National Health Service (NHS) is often under attack – according to a Freedom of Information study carried out by SentinelOne, almost a third of NHS Trusts have experienced an attack on data and systems. This could potentially put patients’ lives at risk.

Tony Rowan is chief security officer at SentinelOne. He told DigitalHealthAge that: “Old school antivirus technology is powerless to halt virulent, mutating forms of malware like ransomware and a new, more dynamic approach to endpoint protection is needed.”

Whether attacking a hospital or a device, all threats endanger to lives. This has been recognised by the FDA which has produced guidelines for post-market cybersecurity risk management of connected medical devices.

The 30-page document comes from a legitimate concern for medical devices that are already FDA approved, and the potential for them to be hacked. The document recommends that medical manufacturers should monitor, identify, and address cybersecurity vulnerabilities as part of their post-market management of medical devices and consider the product’s entire lifecycle when doing so.

Dr Anita Finnegan is CEO of Nova Leah, a company specialising in cyber security solutions for medical devices. She explained: “Increased connectivity of medical devices to hospital IT-networks provides significant benefits to patient care but also exposes both manufacturers, healthcare providers and patients to cybersecurity risks which can affect the safety of between 10 and 15 million connected devices currently being used by patients.

“The newly published post-market recommendations provide device manufacturers with a set of practices designed to assure the security of devices once in use. These include: Monitoring cybersecurity information to help identify and detect vulnerabilities; maintaining software life-cycle processes such as: monitoring third-party software components for new vulnerabilities; design verification and validation for software updates and patches; using threat modelling to help maintain the safety and performance of a device, and mitigating cybersecurity vulnerabilities early and before they are exploited.”

Finnegan recommends that medical device manufacturers build in security controls during the product design phase and continually monitor devices to address future cybersecurity concerns.  

At the University of Arizona, electrical and computer engineer Roman Lysecky is looking at ways to develop technology to improve malware detection in pacemakers and other life-critical devices.

"It used to be that we only had to worry about breaches of our computers and smartphones," said Roman Lysecky, associate professor in the University of Arizona Department of Electrical and Computer Engineering.

"Industry analysts predict that by 2020, most of the 20 billion electronic devices on the market will be interconnected — and millions of these will be implantable medical devices."

These devices include pacemakers, insulin pumps and brain neurostimulators. Monitoring patients at home or remotely and transmitting data to healthcare professionals, makes this technology vulnerable.

According to The University of Arizona, there are over 225,000 people in the US with implanted pacemakers. Should a hacker be successful, these individuals could suffer cardiac arrest.

With this in mind, Lysecky is developing technology – using a prototype of a network-connected pacemaker – where IMDs can detect malware and security breaches yet continue to function properly.

So what next? Speaking at HIMSS2017, health data security expert Mac McMillan, CEO of CyngergisTek recommended: “I get a little irritated when people mention ransomware because people look at ransomware as if it's this big amorphous thing. It's actually just one type of attack, one type of malware that's out there. But because we had a large volume of ransomware attacks last year, all of a sudden we had people thinking they had to spend money on advanced malware technology to spot those things, to spot attachments to emails that could potentially have malware in them.

“We always have had that. Why haven't we been doing that already? Just going after one thing is not going to solve this problem. We need to get back to the basics, like using two-factor authentication. Build a solid infrastructure. Do a good job in terms of security hygiene with respect to how you manage your environment, meaning keeping operating systems up-to-date, patching things regularly, configuring things smartly and employing technology in layers throughout the environment.”