Cybersecurity in the medical device world has evolved from a footnote to a front-page headline. Articles with titles like “Medical Devices are the Next Security Nightmare” (Wired) and “Medical Devices… Lethal in Hands of Hackers” (The Hill) worry device manufacturers, doctors, and patients alike. These concerns are a direct result of an increasingly interconnected medical device ecosystem. Where medical devices were once by-and-large standalone systems, today’s medical devices regularly communicate with other hospital/clinical systems, PCs, and mobile devices. This interconnectivity presents new threats, vulnerabilities, and challenges for medical device manufacturers. Although regulatory bodies such as the FDA and the European Competent Authorities have introduced increasingly stringent guidelines and regulations concerning cybersecurity, following these guidelines alone is not enough to ensure patient safety. The following are some widespread potential threats and design tips to help mitigate them.
There are a few common areas of vulnerability that must be considered when designing medical devices. The first fundamental aspect of designing a secure system is communication authentication. A number of high profile breaches in the past several years have made it clear that usernames and passwords alone do not provide sufficient security against malicious attacks. Credential leaks have been publicly posted for everything from Myspace to Bitcoin to NSA.gov email addresses. Even Facebook CEO Mark Zuckerberg had his social media accounts hacked due to a weak password in 2016. Medical devices are not immune to this trend. A second line of defense, known as “two-factor authentication,” can be used to help mitigate threats associated with weak passwords and may include hardware authentication and biometric scanners. It is also critical to avoid creating loopholes that allow users to bypass any security controls. For example, the use of hardcoded passwords or “super-users” is highly discouraged in any type of medical device design. A user should only be granted the level of access appropriate for them. Authentication should also be required to service and/or update the medical device, and data verification should be required for any update packages via a hash function or a cyclic redundancy check. Protecting against unauthorized access and verifying the authenticity of content is a critical part of designing a secure medical device and ensuring patient safety.
Even in systems with secure user access protocols, vulnerabilities may still exist and should be evaluated periodically throughout the lifetime of a product. Often, healthcare facilities will secure access to a network but forego security measures such as data encryption. This is like locking the front door to a house but leaving the valuables inside unprotected. To fully protect patients, data must be secure at rest in a device, in transit over a network, and physically in space. Encrypting data both in transit and at rest protects against an unauthorized user who gains access to a network, and physically securing the device prevents an attacker from bypassing all security measures by simply stealing the data and attempting to decrypt it elsewhere. A multi-layered approach is vital to effective cybersecurity for your system and supply chain.
Though these cybersecurity measures are vital to patient safety, they could be rendered useless if a careful maintenance plan is not developed and followed for the lifetime of a product. It’s unfortunately common for users to put off backups and updates until they have suffered from a loss or an attack. To avoid this, it’s important to develop a maintenance plan that requires regular review, emerging threat analysis, and safety critical updates. If a vulnerability in any piece of hardware, software, OS, or off-the-shelf component housed in your device is not identified and patched, your entire system could be vulnerable. The maintenance plan should also define procedures for detecting attacks. There are a variety of ways to approach this detection including autonomous monitoring features that notify an administrator of an attack, manual forensic review of software logs, and malware detection reports. Finally, regular backup procedures should be defined so that critical data can be recovered in the event of an attack. Defining these features and formalizing these procedures is critical to ensuring effective cybersecurity during the lifetime of your product.
Although the increased interconnectivity of medical devices opens the door to potential malicious tampering, these threats can be managed and mitigated through careful planning and design, risk assessment throughout the design process, and a commitment to go above and beyond cybersecurity regulations to ensure patient safety.