Medical devices are becoming increasingly more connected to the internet, hospital networks, and other devices in the ever-expanding Internet-of-Things (IoT), intending to improve healthcare, as well as help healthcare providers in treating patients. However, these features come with risks, specifically cybersecurity threats. Medical devices are no different from other computer systems in terms of their vulnerability to security breaches; this can easily impact the safety and effectiveness of the device itself.
Devices such as insulin pumps and cardiac implants such as pacemakers, as well as imaging and diagnostic tools and data management systems can all be the target of cybersecurity attacks or identified as presenting severe vulnerabilities. The consequences of these attacks are unsurprising – device malfunction is the principal concern, closely followed by personal data breaches, as well as the inability to access data from medical devices.
Cyberattacks in the event of improper cybersecurity protection for medical devices
From big businesses to small start-ups, and from large hospitals to individuals with a dependency on medical devices (i.e. patient with a pacemaker), no one is safe from the threat of cyberattacks. For medical device manufacturers, being the target of a cyberattack may have impacts at varying levels. Depending on the goal of the attacker, they may steal or make inaccessible corporate information or patient data and solving the problem may require new updates or more drastic solutions, such as a recall. The event will inevitably lead to a loss of reputation, business and money.
In the scenario of a healthcare facility, the consequences of a cyberattack won’t only be reflected by monetary losses but also in the way it directly interferes with patients’ health or, in the worst-case scenario, the number of fatalities experienced by a facility. In the past, hackers have attacked critical infrastructure, such as the power supply network in healthcare facilities, which impaired scheduled surgery, as well as other types of treatment.
Industry errors in providing proper cybersecurity protection
As technology and medical devices evolve, innovative and additional hurdles present themselves. The same applies to cybersecurity – a surge is occurring due to the natural evolution of the sector. This difficulty is not new, however, and it has not appeared with interconnectivity, it has only worsened. The challenge originated as soon as medical devices began to grow digital and microprocessor-based. Cyber-attackers do not need a connection to the internet or other devices; most digital devices are hackable in one way or another, regardless of whether they are connected to a network.
Companies appear to be becoming more aware of the cybersecurity threat, as well as the consequences of not being prepared and how to embrace a more proactive approach. Manufacturers must prioritise cybersecurity when developing products, using a holistic approach that encompasses everything from company policies to internal development process right up to the system design itself, as well as from the corporate level to the product.
Guidance on how to keep medical devices safe
Undoubtedly, all entities must be on the same page when it comes to these issues, so they may find solutions and keep medical devices healthy and safe. However, there is no harmonised standard offering guidance on the theme of medical device cybersecurity. Regulation is the only way to reassure healthcare providers and patients that the devices they use are trustworthy and will not endanger their safety, regardless of manufacturer. Regulation standardises the rules for companies, providing greater security and confidence in using medical devices produced by specific manufacturers.
At Critical Software, we primarily focus on applying adequate standards according to the scope of the project and the demands of the market where the product will be commercialised. Equally important is to know the context the medical device will be used, as well as all potential users, allowing us to implement sufficient cybersecurity strategy by adapting other known approaches as best practices for other industries to the medical device sector.
We believe there will be significant improves in protection for medical devices. However, the complexity and diversity of cyberattacks will also naturally evolve. Therefore, authorities, manufacturers and users should always be alert. A first step would be working on preventative measures to improve technical solutions, but that improvement alone would not be enough; it will only produce benefits if there is a security culture already in place.
Many security breaches are caused by users who do not know how to handle an already secure system. With more regulations and guidelines in place from the US Food and Drug Administration (FDA) and the European Commission (EC), there will be additional pressure on manufacturers and authorities to make cybersecurity a priority. General public awareness can also lead to increased demand to have cybersecurity as a standard characteristic of medical devices and not just an optional extra.
Critical Software and FSQ Functional Safety and Quality Experts came together to write a white paper on how to build cybersecurity on medical devices from manufacturers to end-users. Download our free white paper here.