Team Discussion
From healthcare facilities to at-home points of care, medical devices that utilise connected technology are becoming more and more prevalent. Due to their flexible capabilities, these medical devices are able to join healthcare networks remotely to aid drug delivery and diagnostics. Their functionality is optimised by software updates and upgrades, which ensure these devices work for both the patient and the administrator.
Despite technological advances, it is still important to factor in security features to protect connected medical devices against potential vulnerabilities and any kind of cyber threat. There are many issues facing security experts within the healthcare environment, as well as a number of cybersecurity requirements that must be considered by medical device manufacturers to keep patients safe both on and offline.
So how can we protect our medical devices against cyber threats?
Over the past 30 years or so, communication software, as well as the technology that draws on it, has been revolutionised. Back in the early nineties, only a fraction of the population had a PC, around 17%, according to some estimations. PCs at this time were often difficult to move, with little computing power in comparison to their modern counterparts.
Today, 83% of UK residents have a smartphone. These hand-held devices are typically more powerful than the computers of the past and, most importantly, offer multiple connectivity solutions. With Bluetooth, NFC and Wi-Fi connectivity built in, smartphones offer several ways for us to connect our medical devices and unlock a variety of benefits for our users.
A key benefit of device connectivity is the ability to allow healthcare providers to monitor devices when they are in use. But with people’s health data being transmitted wirelessly comes cybersecurity vulnerability, increasing the likelihood that it can be abused or manipulated by attackers to gain access to sensitive data.
It is therefore important to build robust medical device risk management into the development. This applies to how we identify failures, monitor how people use this technology, and note common user mistakes to improve patient safety. When identifying risks or sourcing mitigations for them, we have to consider the application of risk management within medical device security and development – using ISO 14971 as a regulation. Many healthcare professionals may think that security management is a new concept relating to the field, but in reality it links to what assets can be manipulated through unauthorised access.
Asking hypothetical questions, such as how security flaws might allow this to happen and the impact it can have, leads us to put protections in place to keep these assets safe. These protections are rigorously tested to identify weaknesses to ensure that attacks are detected and dealt with before user documentation is compromised. Another factor to consider is what response will be used should a successful attack happen, including the mitigation of patient harm and appropriate means of recovery.
There are a number of standards that exist when it comes to adequately managing cybersecurity threats. One, the National Institute of Standards and Technology (NIST) Cybersecurity Framework uses the following model against threats: identify, protect, detect, respond and recover.
There is also UL 2900, which is a more specific regulatory standard that encompasses software cyber security requirements for network-connectable products, as well as guidelines specifically created for medical and healthcare systems.
The first step when evaluating cybersecurity controls is to identify and evaluate the assets, data, or components within a system. That way, if a security event takes place, we can anticipate the potential impact to a device, patients, or to society as a whole.
We can contextualise this by thinking about what happens if the data from your phone is stolen. Many of us have personal contact information stored on our phones, such as card details which can be used to steal money. In the case of medical devices, that information might contain a person’s medical record, contact information, national insurance numbers, or even a full medical ID. These are all things that can be used to steal an identity or to bribe someone through attack vectors, such as threatening to disclose a diagnosis that the patient doesn’t want to be made public. An attacker may try and use that to their advantage in order to coerce their target.
Another example of something that might be impacted by a cyber threat is test results and their accuracy. Take, for example, a hypothetical COVID test that was connected to a network. If the test displays a positive result and there is a notable cybersecurity vulnerability, an attacker could manipulate it into giving a negative result. The patient would then put themselves and others at risk by spreading the virus unintentionally. This can potentially impact their treatment and how we, as healthcare providers, manage the individual.
A further asset that can be attacked is hardware. Even a basic threat could cause equipment such as an X-ray device to be activated without you expecting it, causing further patient safety concerns through radiation risk.
Another attack type is a denial of service. This happened with the WannaCry hacking incident in 2017, the largest cyber attack to affect the NHS in England. Here, the attack took many NHS systems offline, impacting the operating environment and capacity for the medical staff to deliver the services needed.
If an attacker finds a way of providing a fake software image – which looks like one of your own – they can use it to steal patient data or modify the accuracy of your results or even deny access to your device hardware. It’s imperative that your software image needs to be delivered in a secure way so that it prevents unexpected attacks on devices in the field.
Another type of security risk that we might want to consider is who might make these attacks – and what motivates them. One of the risks we don’t really like to think about are ex-employees who have intimate knowledge of our system and safety reporting methods. If they were unhappy in their work environment and wished to attack our devices, would they have the means to do so?
There are also random attackers who simply attack things because they can. In these instances, it’s harder to work out why they want to do it, but they can cause some of the most harm – and of course there will always be the cybercriminals who are driven by financial gain.
Next, we’ll look at the ways we can identify how our assets may be attacked. Once we understand the roots, we can understand the probability of these types of attacks. So, let’s take the example of a file on a PC and use a top-down approach to assess vulnerabilities. As this is a wide-ranging asset that healthcare providers are looking at, the first things to consider are: how can attackers get past the security controls?
If they can directly access the file, are they going to try and download it through a network? If so, do you have any networking interfaces in place? Do hackers have direct access to the physical device, as well as the software, allowing them to log in through the user terminal?
As well as understanding the threats, it’s important to consider the various ways an attacker might try to access or modify your device and data. Electromagnetic interference can be used to modify files in uncontrolled ways for example, by simply hovering a powerful magnet over a hard drive. We can visualise these potential threats through the use of an attack tree, which is a conceptual diagram that shows the various ways that an asset might be infiltrated or targeted.
Sensitive data can come in many forms, such as ‘data at rest’ within a device or location. We can protect against data at rest being stolen by multifactor authentication methods that authenticate the users who are trying to access it, requesting their username and password. Much like giving access to a hotel room, without the relevant key or password, the number of people an attacker can use the identity of is reduced. Data stored on a hard drive can also be encrypted. If the data is encrypted and our keys are kept securely, administrators can stop attackers from reading the data.
As a complete process, we can use validation, key validation and authentication to make sure that the data we have is generated from a valid source – even if it is in transit, thanks to end-to-end encryption.
This is where asymmetric encryption methods come in, because at no point is the encryption key shared. In symmetric methods, as they’re known, the key must be known for the encryption of one or both devices before communication can happen, which sometimes involves exchanging it over a communication protocol. This means that your two devices have the same encryption key and they know what that is, as opposed to asymmetric encryption, where the key is generated during that connection.
This is how things like SSH (or Secure Shell) work during the exchange of data over the internet. One of the key components of ensuring the security capabilities of data in transit is that encryption keys are kept as unique as possible. It’s good practice to not replicate the same encryption key across all devices or communication links because, if an attacker understands what that encryption key is, they can attack the whole system.
Validating data and authenticating it is another way to help security risk analysis. By using certain certificates and the internet transactions your server will provide, you can confirm that data is from the right source. In order to keep authentication keys secret, it is also useful to update them as regularly as possible.
You may want to consider multi factor authentication as a means of prevention, having identified what cybersecurity attacks your medical devices might suffer from. It is important to find ways of detecting that a breach has taken place. So, how do we know that a user was authorised to access that data? As part of the automation of security systems, many devices have logs of who can access each area, how they accessed them, and how long they have access.
A good way to do this is through users reporting strange device behaviour. In your device maintenance procedures, you will receive information from your user base about how things are working. If users are suddenly reporting strange failures or behaviour they weren’t expecting it could be a cybersecurity event, which you can then pinpoint.
If an attack has taken place, you need to try and control it as quickly as possible. There are many IT solutions with a good framework in place that can be used to resolve medical device cybersecurity risks even if they appear to be generalised. Responding to a suspected breach may be as simple as notifying the correct authorities – for example, the police – that your medical device software has been compromised. In more serious cases, you may need to file a report with the ICO of your region as part of its security standards.
For companies based in Europe, the next step in restoring security to healthcare is to assess how that data is going to be regained and if control can be returned. If you haven’t already, installing a method to prevent outsiders from accessing data by forcing all passwords to be reset remotely is a salient idea – before identifying the extent of the attack.
If there is data that is being transferred between devices with a fixed encryption key to exchange it, it is a good idea to ensure that you are using asymmetric encryption to ensure data is kept safe from prying eyes. The best way to prepare for this is to ‘hope for the best, but expect the worst’, which should inform the management of cybersecurity at multiple levels. Cyberthreats are constantly evolving, which is why it is important to be able to identify unauthorised users, attempts to read sensitive data, and other unusual device behaviour. Much like when a device fails in the field, the processes that come after must be used to impact the likelihood of a similar situation occurring in the future.
These common guiding principles can be used to inform us of the types of processes that are needed within digitised health systems. As with any technological system – medical devices being no exception – it is imperative that potential cybersecurity risks are reviewed and understood in order to put procedures in place to mitigate their likelihood. The goal is to manage safety risks within the device as a whole – with cybersecurity issues treated as rigorously as they should be.
Looking for industry insights? Click below to get our opinions and thoughts into the world of medical devices and healthcare.
