With the entry into force of the Medical Device Regulation (EU 2017/745 MDR) on 26...
It is becoming increasingly familiar to hear about medical devices connected to the internet, hospital networks and even other medical devices to improve healthcare and help healthcare providers treat patients.
However, this wave of new tech can also raise significant concerns, specifically cybersecurity threats. Just like any other computer system, these medical devices are vulnerable to being meddled with by hackers.
From insulin pumps to cardiac implants like pacemakers, from imaging and diagnostic devices to data management systems – all have been either the direct target of cybersecurity attacks or have presented serious vulnerabilities to such attacks.
The consequences of these attacks aren’t, or at least shouldn’t be, surprising: device malfunction is the main concern, closely followed by personal data breaches and the inability to access data from devices. The question is, why are medical devices so vulnerable?
While improving medical devices to keep up with the latest tech trends tends to be a good thing, it can simultaneously pose a threat if these improvements are implemented without the proper precautions.
Interconnectivity is a positive of more modern medical devices, but it comes with potentially severe risks that need to be accounted for… The more interconnected devices are, the more prone they are to cyber-attacks because they’re increasingly connected to the internet. One can safely say that it’s a close race between medical device manufacturers and hackers, as both try to stay ahead at both ends of the spectrum – safety versus threat.
Updating is a challenge
Medical devices are systems like any other, which is to say that they will need updating to correct software flaws and to ensure that they’re fully compliant. However, performing these updates isn’t as easy as it sounds. Applying correction can take longer than desirable and once these fixes are applied, new threats may have arisen. Moreover, many hospitals still run legacy operating systems that make updating medical devices even more complicated because the operating systems being used are no longer supported.
Adding to the challenge of keeping medical devices updated, there’s also the problem caused by devices that simply don’t receive updates anymore. Both situations work as an entry point for hackers when meddling with systems and putting patients in harm’s way – whether this involves functional changes that could be applied to the device apply or unauthorised access to personal information.
Refitting of Medical Devices
To keep up with market trends and consumer demands, manufacturers have refitted some of their devices to become networked. By doing so, real-time data collected by those devices can be shared with relevant systems to facilitate process automation. Vendors could leverage this data by managing it remotely. Although it has brought some benefits, these devices are more likely to have vulnerabilities as these devices haven’t been created from scratch with interconnectivity in mind.
Lack of consensus
There is a dire need within the medical devices industry for entities to be on the same page when it comes to establishing rules on cybersecurity standards. With regulations and guidelines in place, from the FDA and European Commission, there will be extra pressure on manufacturers and authorities to make cybersecurity a priority. But regulation is important, not only for healthcare providers but also for patients since it offers a sense of trust and safety which doesn’t otherwise exist.
Lack of awareness
The lack of regulation and market pressure in terms of medical device cybersecurity may have kept manufactures in the dark when it comes to awareness. However, as cyber-attacks continue to multiply and companies start to understand how serious the consequences are of not adopting a proactive approach, we hope to see a change of behaviour.
Manufacturers should prioritise cybersecurity when developing products, using a holistic approach which encompasses everything from company policies to internal development processes and right up to the system design itself, as well as from the corporate level to the product.
What can we do about this?
Solving cybersecurity threats on medical devices isn’t as straightforward as one might think. Stopping the threat altogether is extremely hard to achieve, but we can still do something to prevent and minimise the risks. It involves effort from many parties and communication is an important aspect to ensure that teamwork is in place.
Our new white paper details the process of building cybersecurity from manufacturer to end-user, covering the reasons why medical devices are vulnerable and what needs to be done to correct this.
For more information, please fill out the enquiry form attached to this page.
At a system level, the typical development cycle starts at the system concept and finishes...
The art and science of user experience design (UxD) shapes many of the products and...
Doctors and other health professionals expect medical devices to assist them more and more during...