Cybersecurity has never been an attractive nor an easy topic to discuss. As i am writing this article, I feel like “the rain, raining on the parade.” It addresses what could happen that everyone wants to forget about, yet it happens. Regardless of security processes, procedures, models, or frameworks, when or how it is illustrated, it is of little importance to the network, application, or device is compromised. The moment a security breach occurs, organizations thrust security on top of the priority list while being reactionary instead of being proactively engaged from the beginning of the development.
The digital disruption has brought a convergence of technologies that connect devices and appliances, that were originally developed to operate independently, to computer networks connected to the internet, or directly connected to the internet. Connectivity to the internet opens a network, appliance, or device to many opportunites but also, many exploitable vulnerabilities and threats.
Medical devices and healthcare networks were not excluded from the digital disruption. Several medical devices such as pacemakers, implanted defibrillators, and drug infusion pumps, are connected or interconnected to the internet and exploitable through vulnerabilities and threats, potentially putting safety and effectiveness in jeopardy. Historically, medical devices were designed to be standalone and operate independently. Technology advancements made it possible for these devices to interconnect with healthcare networks and/or the internet without designing security into the medical device. Also, with the addition of software as a Medical Device, there is often an additional pathway open from the application database to the device (PC, mobile device, etc.) that it is housed on. The increased interconnections thus make relevant the saying, “An organization is only as strong as its weakest link”.
The lack of security design in any device that is interconnected to computer networks and/ or the internet has vulnerabilities and/or threats that could be exploited by bad actors, internally and externally. Traditionally, security was not the focus of developing a device. Today, security design is not a priority as it should be, yet it can have a catastrophic effect if it is breached to hospitals, medical device and insurance companies, and any organization with network connection within the environment that a device might be connected.
Emerging technologies such as artificial (AI), Internet of Technologies (IoT), and Machine Learning are the agitators of the digital disruption that requires medical devices to be connected directly or indirectly, to the internet. As the agitators became more prevalent security became more of a priority, or should have, due to the connectivity and exposure to the internet.
Developing of medical devices should not just start with functionality as its focal point. It should include security as well. When a security focal point is added, instead of being reactionary, development becomes proactive against cyber-attacks. It is easier to build security into a device while in development than going back when development is completed. This concept is equivalent to building a house. It is more proficient to incorporate plumbing and HVAC during construction than to incorporate after completion of construction. Incorporating security during development places one in a position of prevention instead of reacting. If done after development, the reverse is true, and a position of reacting, instead of preventing, is detrimental to the functionality of the medical device. When a medical device is compromised, it is impossible for the device to operate at an optimal level. A security breach can also have a detriment on other devices in a network, a hospital system, and other interconnected parts.
Integrity recommends the following security focal points for hardening up medical devices:
1) Updates and Patches
Applying updates and patches are crucial to maintaining and securing any medical device. The difference between updates and patches is updates involve adding different features while the patches deal with plugging up vulnerabilities. Connectivity to the internet makes applying the latest updates and patches convenient. Over the life cycle of a device, cyberattacks become more sophisticated and new features must be developed to reduce vulnerabilities and combat threats constantly. Vendors should release updates and patches on the regular basis to optimize performance as well as enhance security features. During development, it is critical to consider how and when this will be done.
2) Communication Authentication
A communication medium that connects two devices is not inherently secure. The importance of a device to perform a cryptographic challenge-response process to confirm it has paired with the correct device. This security function is enabled at the application level.
3) Security In-Depth
Security in Depth (SID) refers to the multiple layers of security used to safeguard an asset such as medical device or connected network. These security measures function in layers to utilize a combination of different technologies and security processes to protect against threats and exploits. In conclusion, with the advancement of technology and the interconnectivity of these devices to the internet, cybersecurity starts on day one of development and progresses through the lifecycle of any medical device. Cybersecurity is not a comfortable subject to speak about, but it is a must. There are FDA guidelines, both premarket and post-market, addressing cybersecurity management for medical devices.
Leave a Comment