Matters of Life and Death: Cyber Security and Medical Devices

It’s a scenario right out of a Hollywood blockbuster. Without a word of warning, medical devices regulating everything from heartbeat to insulin levels across a hospital system begin behaving erratically – creating mass confusion and a potential life-and-death emergency for hundreds of patients. Far-fetched? Perhaps. But far from impossible. The fact that no one has ever attempted to do such a thing is maybe just luck. And that’s the concern as the healthcare industry finds itself today under relentless cyber attack.

In 2019, the industry was responsible for nearly four out of five of all reported data breaches and in 2020, the situation is only expected to get worse. Estimates put the cost of cyber crime to the industry at as much as $4 billion—and that doesn’t include the damage to the professional reputations of the healthcare institutions involved.

A Matter of Time

Security experts consider it only a matter of time before medical devices might become a major contributor to this threat landscape. Medical devices permeate the typical hospital—as many as 10-15 per bed according to most estimates. In a large hospital that could mean as many as thousands of beds. Most, if not all of these devices, are connected to the internet by some form of a wired or wireless network. And until very recently, medical device manufacturers (MDMs) were not required to account for the cyber security for their devices—making them among the easiest of potential targets to hack.

Adding to the concern is the fact that the wave of change and innovation that has swept business and consumer technology over the past decade has been challenging for the healthcare industry to absorb. Hospital systems lag behind perhaps only the federal government in their use of legacy operating systems. Indeed, as many as one-third of hospital systems today still use Windows 7, Windows XP, and other legacy systems that are no longer supported by their manufacturers and therefore pose significant additional cyber security risks.

Despite this, healthcare organizations also lag behind most industries in their cyber security planning and investment. Just four to seven percent of the typical healthcare system’s IT budget is spent annually on cyber security–in contrast to other industries, such as finance, which averages about 15% of its annual IT budget on cyber defense.

FDA Leadership

The growing awareness of the potential vulnerability of these devices is generating significant momentum towards increasing their cyber security. The Food and Drug Administration (FDA), which has been responsible since 1976 for regulating medical devices, is taking the lead in guiding these efforts.

In 2014 and 2016, the FDA released the first two guidance documents designed to raise the standards and significantly improve medical device cyber security. These guidelines address cyber security for medical devices in both pre-market and post-market contexts. Among the most notable points in the FDA’s pre-market guidance is that MDMs must address potential cyber security risks and concerns associated with their new devices.

The FDA’s post-market guidance centers on the industry recognizing that the medical device security issue does not exist in a vacuum. The FDA calls on MDMs and healthcare delivery organizations (HDOs) to work together to identify and mitigate potential patient risks and ensure proper device performance throughout the device’s lifecycle. The industry has long recognized its responsibility in this effort. And indeed, there are several industry associations dedicated to this effort, including some that predate the FDA’s guidance. Among the most notable is the Health Information Sharing and Analysis Center (H-ISAC), a not-for-profit industry association established in 2010. H-ISAC comprises many of the medical device industry’s leading companies along with leaders from healthcare, pharmaceutical, and other related industries, public health departments, and health technology and security companies, including Symantec. H-ISAC serves as a cross-industry center for coordinating and sharing cyber threat intelligence and best practices.

The FDA augments these efforts by issuing security alerts whenever it detects a major security vulnerability in any aspect of the medical device ecosystem. In October, 2019, it issued the most recent of these alerts, warning “patients, providers and manufacturers” of potential vulnerabilities for devices using a certain type of communications software.

The Industry’s Role

It is important to note that much of the FDA guidance is essentially just that, suggestions, and not federal mandates. It is up to the MDMs and HDOs to voluntarily act upon the guidance. So, for example, there is no requirement that the medical devices–of which there are millions–that were already in use prior to 2016 be recalled or retrofitted for more cyber security.  

Health technology and security companies associated  with the medical device industry play a major role in helping the sector by working with the National Institute of Standards and Technology’s (NIST) National Cybersecurity Center of Excellence (NCCoE), the US Department of Commerce’s center responsible for addressing  the most pressing cyber security issues impacting the nation’s business organizations. “There is a major focus around ensuring the data integrity of medical devices at NCCoE,” says Aubrey Merchant-Dest, Symantec’s Senior Technical Director, Public Sector. “The NCCoE is working with companies, including security companies like Symantec, to develop best practices to protect and recover medical devices from ransomware.”

But ultimately, “the onus is on the medical industry,” Merchant-Dest continues, “to make securing medical devices part of their overall cyber security strategy.” So, what can medical device manufacturers do to improve the security around their devices?

“Along with working with NIST’s NCCoE and establishing information sharing associations like H-ISAC,” says Aubrey-Dest, “one solution leading medical device manufacturers are adopting is implementing solutions based on the principle of zero trust.” The concept behind zero trust is that nothing should be trusted and everything and everyone asking for access must be verified. Zero Trust-based security solutions ensure that only authorized and validated individuals, such as the patient’s physician, or authorized devices on that network, have access to that medical device’s data. Components of a robust zero-trust solution integrate user identity and access, device, and network and application security into a comprehensive end-to-end security solution to securely protect the medical device and its patient data.

Adopting a zero-trust security strategy with these elements ensures the safety of the data that may mean life or death to the patient connected to that medical device. And make no mistake: life or death can be the stakes.

While there has been no known or reported attempt to create mass mayhem or directly threaten the life of a patient by hacking into and altering the performance of a given device, that is not the same as saying it can’t or will never happen. Or that the stakes are any less. As MDMs and hospital systems increasingly turn to artificial intelligence (AI) enabled medical devices and systems, the potential to manipulate or weaponize that data grows apace. The bottom line is that data, “any data, but especially that most important to patients or their caregivers,” says Merchant-Dest, “needs to be trusted. We never want to get to a place where we don’t trust the data.” To ensure that trust is indeed a matter of life or death.