Cyber-attacks threats the integrity of healthcare services

© Shutterstock
© Shutterstock

Like all computer systems, medical devices can be vulnerable to security breaches, which can potentially impact the device’s safety and effectiveness, thus the patient’s treatment and life. This vulnerability is increasing as medical devices are more and more connected to the Internet, hospital networks, and to other medical devices.


In a demonstration, Jack Barnaby, a security researcher, showed how a wireless-enabled insulin or morphine pump could be remotely manipulated to deliver a deadly dose of the drug to a patient wearing the device, same for a wireless-enabled pacemaker which could be get to deliver a lethal shock. Adding to the life threatening risks, the medical device lifecycle mismatch which is also an issue. An operating system software with production lifecycles measured in months does not match well with a medical device having production lifecycles measured in years or decades.


This medical device’s vulnerability to cybersecurity risks are the consequence of their concept-design. Medical device manufacturers focus first on delivering the patient’s needs, security controls (as basic password protection) being secondary, and most of the times not included. Many manufacturers and health providers also have not established requirements that govern third-party access to patient data.


What about FDA role in this problematic?


In order to be marketed, a medical device has to prove to the FDA (Food and Drug Administration) that its probable benefits to the patients outweigh the probable risk. As cybersecurity threats cannot be completely eliminated, all stakeholders (manufacturers, hospitals and facilities) must work to manage them. In this optic, on the 21st and 22nd of October 2014, the FDA hosted a workshop where it brought together medical device manufacturers, healthcare providers, biomedical engineers, IT systems administrators and health insurers.


This workshop resulted in a set of recommendations aiming to make the rapidly growing world of medical devices more transparent and secure. The final guidance, titled “Content of Premarket Submissions for Management of Cybersecurity in Medical Devices,” recommends that manufacturers should:

  • consider cybersecurity risks as part of the design and development of a medical device,
  • identify, assess, and mitigate cyber security vulnerabilities in medical products,
  • develop security standards and benchmarks for medical devices,
  • submit documentation to the FDA about the risks identified and controls in place to mitigate those risks,
  • submit their plans for providing patches and updates to operating systems and medical software.


In the same line, and as a preparation for the above mentioned workshop, the FDA entered (in August 2014), into a Memorandum of Understanding (MOU) with the National Health Information Sharing and Analysis Centre (NH-ISAC), a non-profit health sector-lead organization that provides member organizations with actionable information on cybersecurity and coordinates cybersecurity incidence response. The goal of this (MOU) includes promoting collaboration and communication between the different stakeholder encouraging them to develop innovative strategies to assess and mitigate cyber security vulnerabilities.


In parallel to the FDA, the National Institute of Standards and Technology (NIST), a voluntary set of guidelines for implementing a risk-based security program, outline steps to address the five basic cybersecurity functions: Identify, protect, detect, respond, and recover. In addition to improving cybersecurity, the Framework will also provide both manufacturers and healthcare providers with a common language to communicate and gather intelligence on cyber risks.


FDA and NIST have both provided a good foundation to build risk-based security for networked medical devices. Neither, however, sets a specific framework for security controls, processes, and safeguards for medical devices.


Finally, The FDA workshop succeeded in making medical device manufacturers and health providers understand the importance of cybersecurity threats as it can literally be a matter of life and death for patients. In the current context, no solution exists for all security issues that accompany the use of connected medical devices. But development of an integrated, comprehensive cybersecurity program that works in concert with the product development, deployment, and management lifecycles is the best remedy available today.