Why Cybersecurity is Becoming More Important in the Medical Device Industry

Author: Keith Handler | Date: July 23, 2019

Cybersecurity in the medical device world has evolved from a footnote to a front-page headline. Articles with titles like “Medical Devices are the Next Security Nightmare” (Wired) and “Medical Devices… Lethal in Hands of Hackers” (The Hill) worry device manufacturers, doctors, and patients alike. These concerns are a direct result of an increasingly interconnected medical device ecosystem.

Where medical devices were by-and-large standalone systems in the past, today’s medical devices regularly communicate with other hospital/clinical systems, PCs, and mobile devices. This inter-connectivity presents new threats, vulnerabilities, and challenges for medical device manufacturers. Although regulatory bodies such as the FDA and the European Competent Authorities have introduced increasingly strict guidelines and regulations concerning cybersecurity, these guidelines are not enough to ensure patient safety. The following are some common potential threats and design tips to help mitigate them.

Common Cybersecurity Vulnerabilities

There are a few common areas of vulnerability that one must always consider when designing medical devices. The first fundamental aspect of designing a secure system is communication authentication. A number of high profile breaches in the past several years have made it clear that usernames and passwords do not provide sufficient security against malicious attacks. Credential leaks have been publicly posted for everything from Myspace to Bitcoin to NSA.gov email addresses in recent years. Even Facebook CEO Mark Zuckerburg had his social media accounts hacked due to a weak password in 2016.

Medical devices are not immune to this trend. A second line of defense known as “two-factor authentication” can be used to help mitigate threats associated with weak passwords and may include hardware authentication and biometric scanners. It is also critical to avoid creating loopholes that allow users to bypass any security controls. For example, the use of hardcoded passwords or “super-users” is highly discouraged in any type of medical device design. A user should only be granted the level of access appropriate for them. Authentication should also be required to service and/or update the medical device, and data verification should be required for any update packages via a hash function or a cyclic redundancy check. Protecting against unauthorized access and verifying the authenticity of content is a critical part of designing a secure medical device and ensuring patient safety.

Is your product secure?

Now that you’ve put careful consideration into your user authentication, is your product secure? Even in systems with secure user access protocols, vulnerabilities may still exist and should be evaluated periodically throughout the lifetime of your product. Often, healthcare facilities will secure access to a network but forego security measures such as data encryption. This is like locking the front door but leaving the valuables inside unprotected. To fully protect patients, data must be secure at rest in a device, in transit over a network, and physically in space. Encrypting data both in transit and at rest protects against an unauthorized user who gains access to a network. Physically securing the device prevents an attacker from bypassing all security measures by simply stealing the data and attempting to decrypt it elsewhere. A multi-layered approach is vital to effective cybersecurity for your system and supply chain.

Ensuring Patient Safety

Taking these cybersecurity measures is vital to patient safety, but a careful FDA compliant maintenance should be developed and followed for the lifetime of the product as well. It’s unfortunately common for users to put off backups and updates until they have suffered from a loss or an attack. To avoid this, it is important to develop a maintenance plan that requires regular review, emerging threat analysis, and safety critical updates. If a vulnerability in any piece of hardware, software, OS, or off-the-shelf component housed in your device is not identified and patched, your entire device could be susceptible to systemic risk. The maintenance plan should also define procedures for detecting attacks.

There are a variety of ways to approach this detection including autonomous monitoring features that notify an administrator of an attack, manual forensic review of software logs, and malware detection reports. Finally, regular backup procedures should be defined so that critical data can be recovered in the event of an attack. Defining these features and formalizing these procedures is critical to ensuring effective cybersecurity during the lifetime of your product.

The increased inter-connectivity of medical devices opens the door to potential malicious tampering, however, these threats can be managed and mitigated through careful planning and design, risk assessment throughout your process, and a goal to go above and beyond cybersecurity regulations to ensure patient safety.

Share This!

Resources

medical device approval process

November 17, 2021

Strategies for Navigating Medical Device FDA and CE Approval

At Sterling, some of the most common questions we get are related to medical device Food and Drug Administration (FDA) approval in the U.S. and the Conformite Europeenne (CE) mark in the European...
Read More >
View More Blogs

February 18, 2021

5 Mistakes Medical Device Startups Make

Startups are the lifeblood of medical device innovation. Without universities researching ways to solve pressing healthcare problems or doctors with experience in a particular field who have an idea to develop a prototype medical device that could help patients, the future technologies needed to help save lives wouldn't happen. But the long, arduous road through the FDA submission process to get market approval can take a long time and cost a lot of money without help. Sterling Medical Devices has been helping startups through the FDA approval process since 1998 without ever having a submission rejected.
Read More >
View More Videos
people developing a product

November 23, 2020

Sterling Helps Print Parts Win Contract with City of New York for Production of Medical-Grade Nasal Swabs

Sterling Medical Devices performed design services for a Class III breathing pacemaker with Major Level of Concern software, intended for use by patients who have lost neurological control of respiration. This life-sustaining device is comprised of two main components: an internal passive receiver and an external controller....
Read More >
View More Case Studies

Need help with your medical device?

Let Sterling Medical Devices show how to bring your idea from concept to prototype to
FDA/CE approval with a free custom project analysis.
Request Free Analysis