In recent years, cyberattacks have had a significant negative impact on institutions in the financial, government and health sectors. Not so long ago the threat was merely theoretical, but cyber criminals are now able to inflict widespread harm across global networks using relatively simple tools such email and malware.
In cases to date, medical devices have not been deliberately targeted, but if these appliances are linked to a hospital network that is vulnerable to attack (such as diagnostic equipment) the threat-level is high.
“The FDA isn’t aware of any reports of an unauthorised user exploiting a cybersecurity vulnerability in a medical device that is in use by a patient,” wrote FDA commissioner Scott Gottlieb in October 2018, in a statement on strengthening the agency’s medical device cybersecurity programme. “But the risk of such an attack persists.”
Level of risk
GlobalData medical device analyst David Brown supports the view that while most attacks in the healthcare space have involved data breaches, the line between private patient data and a patient’s wellbeing is not impenetrable.
“During the WannaCry Ransomware attack on the NHS in 2017, tens of thousands of appointments were cancelled and there were reports of ambulances being diverted to other facilities,” he comments. “While this likely didn’t cause much more than an annoyance for most, it is entirely possible that patient safety could be put at risk, especially if optimal ambulance routes are not able to be used.”
Cybersecurity experts – known in the industry as ‘white hat hackers’ – have uncovered security issues with medical devices in clinical and research-based settings, and it can only be a matter of time before a criminal hack involving these products is attempted. Brown confirms that medical devices have been shown to be vulnerable to direct attack.
“The FDA recently recalled Abbott’s RF-enabled implantable cardioverter defibrillators (ICDs) and cardiac resynchronization therapy defibrillators (CRT-Ds),” he reports, “after a potential vulnerability was discovered that would allow an attacker to access the devices and rapidly deplete their battery stores or even issue improper cardiac pacing commands.”
Another drastic example was reported earlier this year by an Israeli research group at Ben-Gurion University of the Negev.
“They demonstrated that CT scanners with outdated software were vulnerable to attack and would allow the adjustments of applied radiation to harmful levels,” Brown continues. “While these direct vulnerabilities to control particular medical devices might be limited in most cases, there certainly have been demonstrated cases where attackers could have seriously harmed a patient.”
The FDA ‘playbook’
In October of last year, in association with the MITRE Corporation, the FDA launched a cybersecurity ‘playbook’ for healthcare providers with the aim of promoting cybersecurity safety. The regulator also announced two agreements which will unite multiple stakeholders to encourage transparency and data sharing around cybersecurity risks.
Brown believes the ‘playbook’ is a positive and practical launch pad that ensures cybersecurity is at the very core of the healthcare industry.
“While the document outlines a very high level process it does focus on a few key areas that must be focused on by healthcare providers at all levels,” he says. “Most vulnerabilities that are exploited come from out-of-date software, old equipment, and improperly designed IT and network systems. I see this playbook as a good start to a change in healthcare culture that takes cybersecurity seriously at all levels of care.”
The ‘playbook’ will assist healthcare delivery organisations (HDOs) in initiating processes that will help bolster their cyber defences, as well as increase communication between HDOs, manufacturers and governmental regulatory bodies.
“If this is widely adopted,” he adds, “it will help create an environment which integrates device manufacturers, HDOs and the government to allow more robust and rapid responses to varying threats.”
The challenge ahead
It seems unlikely, however, that the ‘playbook’ alone will magically solve the threat of cyberattacks in the healthcare space. The industry needs to place emphasis on medical device approval pipelines that stress cybersecurity during all phases of a device’s lifecycle –from design to late-stage support.
In the interconnected healthcare sphere, it is crucial to ensure that devices are designed from the ground up to be resistant to external attack, and to have plans in place when a company decides to stop ‘supporting’ a device.
“While there are guidelines in place to ensure cybersecurity in devices,” explains Brown, “these do not appear to be fully adequate. Technology is a difficult thing to get right ‘the first time’ however, and the playbook does emphasise continual vigilance which will be important moving forward.”
There is a risk that if approval guidelines are too stringent, it may stagnate the development of new and novel devices that could help the population at large. Regulating new medical device technology needs to strike a balance between therapeutic benefits and safety regulations in the cybersecurity space.
“One thing that I would like to see implemented would be a proactive approach from the FDA,” says Brown. “The FDA could implement cybersecurity testing on approved devices and perhaps in a periodic nature. If regulatory bodies could identify exploits before they are abused it would limit the potential scope of damage inflicted.”
The EU position
As an aside, it is worth giving a mention to Europe’s recently implemented cybersecurity measures, though quite how Britain will choose to act in this area post-Brexit remains to be seen.
In December 2018, EU negotiators reached a political agreement on the 2017 Cybersecurity Act, which reinforces the mandate of the EU Agency for Cybersecurity, (European Union Agency for Network and Information and Security, ENISA). The aim is to better support member states in tackling cybersecurity threats and attacks; it will also establish an EU framework for cybersecurity certification of specific ICT processes, products, and services, and medical devices are explicitly mentioned.
As technology continues to evolve and the interconnectedness of devices continues to progress, on a global scale, designing robust cybersecurity protocols at both the device and regulatory body levels will be crucial. Safeguarding health systems and patient wellbeing depends upon it.