Peter Brady, CEO, Ascensys Medical highlights the threats and potential solutions to cyber-security in medical devices.
Like any other computer system, medical devices are vulnerable to security threats and this has the potential to affect the safety and effectiveness of the device. The trend of making devices more connected - to the Internet, hospital networks, and to other medical devices – increases this vulnerability.
Additionally, by the end of May 2018 all hardware and software that processes personal data concerning the health of EU citizens must comply with the General Data Protection Regulation. The maximum fine under the GDPR is 4% of the total worldwide annual turnover of the preceding financial year for that company.
Many medical devices record real-time data that, when uploaded to a doctor along with a patient name or other type of patient identifier, become Protected Health Information (PHI) that is governed in the United States by HIPAA. Even if this data is not uploaded to a healthcare provider and PHI is present on the medical device, the design of the medical device must be such that it is not possible to access the PHI through wireless networks, or through hacking into the device or associated software or databases should the device become lost or stolen.
Criminal penalties under HIPAA, tiered in accordance with the seriousness of the offense, range from a fine of up to $50,000 and/or imprisonment for up to a year for a simple violation to a fine up to $100,000 and/or imprisonment up to five years for an offense committed under false pretences and a fine of up to $250,000 and/or imprisonment up to ten years for an offense committed with intent to sell, transfer, or use individually identifiable health information for commercial advantage, personal gain, or malicious harm.
In addition to confidentiality considerations, the Medical Devices Directive requires all risks be reduced as far as possible. In practice this means that designs are consistent with the generally accepted state-of-the-art and compliant with international standards. If threats to the integrity or availability of data could lead to patient harm, then they must be addressed. This means the application of a systematic, risk based approach to information security as covered by ISO 27001.
The FDA seeks to safeguards patients from cyber threats by recommending medical device manufacturers continue to monitor and address cybersecurity issues while their product is on the market. Device manufacturers are expected to continuously monitor information sources to identify new cybersecurity risks. Those risks must be assessed in relation to the medical devices, and mitigations must be deployed to proactively address risk and protect patients before cybercriminals can exploit vulnerabilities.
For these reasons, security of much information used in healthcare provision is increasingly important, but not an obvious priority in the development of a medical device. To address the subject, we must first define what we mean by information security:
Security of information can be thought of in three different ways:
• Confidentiality: Protecting information from unauthorised access.
• Integrity: Protecting information from modification by unauthorised entities.
• Availability: Making the information available to authorised personnel.
The priorities of these three focus areas may be different for a medical device manufacturer and healthcare provider, e.g. Integrity and availability are more important than confidentiality. This differs from other industries such as finance and requires an approach that is integrated with Risk Management as defined in ISO14971 and required by ISO13485.
What are the threats?
The threats can be considered to fall into two groups. Firstly, an attacker may take control of one or more devices with the deliberate intent of harming a patient. Motives for this could range from “ransomware”, i.e. organised criminals aiming to blackmail healthcare providers or device manufacturers, a new form of terrorist attack, industrial sabotage or simply an individual with the intent to cause harm for whatever reason he or she might have (In Australia, 49-year-old Vitek Boden conducted a series of electronic attacks on the Maroochy Shire sewage control system after a job application he had made was rejected by the area's Council – he was able to take control of the sewage management system and caused millions of litres of raw sewage to spill out into local parks, rivers and even the grounds of a Hyatt Regency hotel. He is currently serving a two year jail sentence).
The second threat is the presence of some unauthorised program – which could be a virus, worm or any other program that compromises the effectiveness or safety of a medical device. Here the intent might not be to cause harm to a patient, but it might lead to that all the same.
The following table summarises the human threats to information systems, their motivations and likely consequences:
Solutions
Dealing with these security issues is something the medical device industry is late to address, particularly when compared with the commercial world, and perhaps for good reasons – patching an operating system may well invalidate extensive software validation efforts and lead to increased costs. However, in the commercial world preventing an attack might be considered successful if the attacker’s intent is blocked, even if the program under attack is prevented from performing its intended function. In the case of a medical device, such as an infusion pump, this might not be the case. So, the need for effective (and cost-effective) strategies for dealing with security threats is critical.
A sensible approach is to turn to international standards for guidance because they are the consensus amongst industry experts on what constitutes best practice.
The information security standard, ISO 27001 tells us that starting with an Information Security Management Systems (ISMS) is the most effective way to begin to protect our business and its information assets.
The ISMS is analogous to a Quality Management System (QMS) as provided for in the ISO 13485 standard that medical device manufacturers are familiar with but with the goal of managing information security in a systematic way rather than quality. The ISMS provides protection from major failures of information systems and information security incidents. Implementing an ISMS also allows for operations to resume in a swift manner when security lapses occur.
It is not unusual for companies to be put off implementing an ISMS due to potential costs and a lack of understanding of its relevance. It’s also common for companies to believe that they already have certain operations in place for potential cyber-attacks and lapses in security, but these are generally applied in an ad-hoc manner and usually lack a systematic review process. The cost of implementing an ISMS is typically orders of magnitude less than the cost of security breaches.
Information security risk controls typically fall into two broad areas: prevention and detection. Prevention strategies will aim to build robust and secure systems that are extremely difficult to penetrate. Detection strategies will include ongoing monitoring to detect the presence of malicious code, either directly or indirectly (e.g. through the side effects of its presence), or to detect if any unauthorised control of a device has been achieved.
As previously mentioned, in the medical devices sector there is a potential for harm to patients and operators and this introduces a new dimension to information security. Risk Management in medical devices seeks to minimise risk of harm to patients and personnel. Where hazardous situations can be caused by information security breaches, either through data integrity corruption or from lack of availability of data when it is needed, then an ISMS is the best mitigation because it provides a systematic approach to the management of information security.