Paulo Pinheiro, head of electronics, software and systems at Sagentia writes about the complex relationship between opportunity and risk in the connected world for medical device manufacturers.
WannaCry, the global ransomware attack that hit the headlines in 2017, highlighted potential vulnerabilities of the healthcare sector in the digital age. In the UK, the NHS experienced major disruption, despite not being a specific target. Two years on, cyberthreat remains a constant companion of any sector or organisation using connected systems. Vigilance and preparedness are key to counter the risk.
How does this impact the development and approval of new, connected medical devices? The benefits of connectivity are immense, enabling patients to receive more personalised care. But such devices face stringent approval requirements, which go beyond patient safety and into the realms of cybersecurity. Software architects for medical devices are caught between two extremes. Connectivity and big data unlock exciting opportunities. But cyber-risks raise unprecedented barriers. How can they reconcile these factors to avoid innovation deadlock?
Defining the threat & responsibility
There are no reports of connected medical devices being compromised by cybercriminal activity to date. However, there have been cases where vulnerabilities have been identified, as reported by the FDA. The agency says: “these vulnerabilities could allow unauthorised users to remotely access, control and issue commands to compromised devices, potentially leading to severe patient harm”.
Introducing connectivity between medical devices, other systems and the cloud exposes devices to cyberthreats from which they were previously immune. The integration of disparate technologies across multiple platforms increases the potential for vulnerabilities. However, early connected medical devices and associated services were developed with little consideration of cyberthreats.
Today, cybersecurity responsibility lands squarely in the lap of medical device manufacturers, whether they are developing a new product or integrating a legacy device into their ecosystem. But addressing this is not straightforward. Classic approaches to safety risk management are ill-equipped to deal with the threat. Well-established risk management frameworks (such as NIST 800-30) are adequate for conventional IT systems, but there is little specific guidance for medical devices. A major challenge for smart medical device security is the lack of defined industry standards and a commonly accepted security certification process.
In the absence of specific guidance, manufacturers have to strike their own path.
Risk assessment & control
The Association for the Advancement of Medical Instrumentation (AAMI) took a welcome step forward in 2016. Its technical information report TIR57: Principles for medical device security – risk management moves medical device manufacturers towards a coherent risk management framework. Providing guidance on risk management related to security threats – and the impact of this on data, confidentiality, integrity and device availability – it has become a valuable reference point.
The recommendation is to have two risk management plans in place: one for safety and one for cybersecurity. It means manufacturers establish a companion security risk management process alongside their existing ANSI/AAMI/ISO 14971-based safety risk management process. However, the approaches taken to address safety and security risk are quite different.
Safety risk management involves evaluating the probability and severity of a hazard leading to harm. Well-established standards and procedures exist to shape this process.
Security risk is harder to define. Manufacturers need to assess the likelihood of a threat successfully exploiting a device vulnerability, potentially compromising system confidentiality, integrity and/or availability (and ultimately even safety). It involves a seven-step process:
- Identify cybersecurity assets
- Identify adverse impacts resulting from the exploitability of those assets
- Identify threats & vulnerabilities
- Evaluate risks
- Identify cybersecurity risk controls
- Implement cybersecurity risk controls
- Verify effectiveness of risk controls
Many medical device manufacturers develop their own cybersecurity proficiency. This involves training medical device engineers in the nuances of traditional IT cybersecurity best practice within the ISO 14971 risk management framework for medical devices.
Cross-industry collaboration is vital
Most cybersecurity experts have strong computer science and networking skills, but are not so well-versed in medical device development factors such as physical and safety engineering. Conversely, the traditional medical device professional may be well-versed in safety issues, but not fully understand the security implications of their design decisions.
Nevertheless, cybersecurity engineering is maturing as a cross-industry discipline. It is arguably more efficient to enlighten a broad range of medical device professionals with security principles than to train existing cybersecurity experts in all engineering disciplines. The traditional network cybersecurity expert lacks the foundational physical engineering capabilities to orchestrate design decisions. It follows that medical companies must bolster their professionals’ competencies in cybersecurity by leveraging knowledge from more established industries.
Design-in security
In the face of such complex and nebulous security risk mitigation requirements, developing connected medical devices is a daunting task. Without clarity on cybersecurity parameters, how can manufacturers have confidence that a new device will gain approval?
It’s important to understand that, just as digital opportunities are continually evolving, so is the cyberthreat. Protecting medical devices in this everchanging environment requires a continuous lifecycle approach. Cybersecurity should be integrated within the product development lifecycle, both complementing and reinforcing its safety risk management process.
This needs to be factored in at the front end of medical device development. Design features and cybersecurity controls must be clearly defined at the outset of the design and development process.
Medical device manufacturers should work closely with healthcare providers, device users and patients to ensure that risk control measures intended to increase security do not degrade the intended use of the device. For example, many medical devices need to be immediately accessible by a physician during an emergency medical procedure. In this scenario, it may be acceptable to use proximal communications (e.g. an RFID tag) within a limited-access operating environment to temporarily disable security mechanisms.
From a data protection perspective, it’s prudent to begin by mapping out and defining the stakeholders of the product or service ecosystem exchanges in a data flow diagram. This provides an understanding of how data travels through the system, where it originates, how it is to be processed, who owns and manages the data and who needs access to what parts.
Once the process is complete, a threat model such as STRIDE (Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, Elevation of privilege) amongst many others can be developed as part of the risk assessment and control strategies.
Walking the line
Reconciling innovation with cyber-protection demands a risk-based approach to connected medical device development. Software architects need to be alert to cybersecurity requirements from the outset, ensuring fundamental decisions concerning frameworks and the technology set are fully thought through. Recognising the complexity of this, Sagentia recently produced a free whitepaper offering guidance on the matter: Medical devices: the shift from embedded to connected.
The raison d’être of medical device development is to continually improve patient experiences, outcomes and healthcare efficiency. Ignoring connectivity is not an option. But cybersecurity is a serious consideration. Devices that don’t take adequate measures to address it will eventually become a public relations disaster for the manufacturer. Furthermore, with increased scrutiny from the FDA and regulatory bodies, going to market may not even be an option.
There is no perfect solution, but pragmatism and technology expertise can avoid an innovation deadlock. Designing in scalable security features to be updated throughout the product lifecycle is a must. It’s the surest way to achieve that important balance between innovation and responsibility.