Anura Fernando, global head of medical device security at UL Solutions examines cybersecurity compliance for medical device companies.
PeopleImages.com - Yuri A Shutterstock
2255590895
Medical cybersecurity
The integration of advanced information technologies in medical devices has transformed the healthcare industry, resulting in dramatic improvements in the efficiency and effectiveness of healthcare and related services. But this integration has fostered the emergence of a new set of challenges for patients, healthcare providers, device developers and manufacturers. Today, the healthcare industry is a significant target for hackers and cybercriminals, potentially compromising private and confidential healthcare data and placing the safety and health of patients at risk.
The pandemic itself created a tremendous amount of activity in the healthcare sector, which in-turn created an ideal environment for threat actors to try to exploit weaknesses and vulnerabilities in healthcare for purposes such as financial gain, nation-state objectives, and malicious mischief. So, with this, what do these attacks look like and how can we mitigate against future threats across the industry?
Why are healthcare organisations vulnerable?
Following the height of the pandemic, society continued to rely heavily on communication technologies for both the delivery of healthcare and many day-to-day activities like remote work and even shopping. Because of such significant increases in the attack surfaces of healthcare and society at large, new dark web value chains were established to trade in illicit data like stolen Protected Health Information, including financial instruments used in healthcare business transactions. Also, as part of critical national infrastructure, healthcare remains a significant target for nation-state attacks as well as from terrorist organisations.
Additionally, healthcare delivery organisations still operate on very thin margins and are under constant pressure to balance issues like investing in their transportation infrastructure such as ambulances, improving patient care, expanding to meet growing demands, etc., so cybersecurity can sometimes take a “back seat” during prioritisation of needs, particularly if the impact of a breach is not well understood.
With the continued roll-out and introduction of new data regulations and technologies across the healthcare supply chain, alongside the move towards digital evolution, the industry continues to make itself vulnerable to potential cyberattacks. From the introduction of viruses and malware from third-party devices and employees sharing information with unauthorised recipients, to downloading files and images and clicking on links in emails and social media posts, there’s an increasing range of ways hackers can enter the healthcare environment.
What do these attacks look like?
Quite a lot of healthcare attacks involve phishing and establishing persistent threats within networks and devices to attack when potential rewards are the greatest. Some of it comes from nation-states, but much of this also comes from the criminal element, not only seeking to make financial gains through stealing protected health information but also from stealing computing resources for activities like cryptocurrency mining or deploying bots for other nefarious purposes like distributed denial of service (dDoS) attacks and other coordinated attacks against specified targets.
Many parts of the private sector are potentially much more susceptible to attack than government healthcare providers, mainly because of resourcing. Government healthcare providers often have much stricter procurement risk management processes that include cybersecurity than do often under-funded security teams in private sector healthcare delivery organisations, who may or may not have security-related procurement requirements.
How can we stop it?
The number one solution is building awareness and providing tools and other resources to help healthcare stakeholders across the entire value chain more effectively manage risks.
The continued rapid progress of medical technology leaves medical devices increasingly susceptible to quality, safety, and cybersecurity issues. Manufacturers and developers need to be aware of the inherent risks and current regulations to provide compliant and safe products and prioritise testing and compliance for all new and existing devices.
Key areas of importance when testing products and ensuring compliance include:
- Security: Ensuring technology does not compromise patient data, allow unauthorised access, or permit malicious control of devices
- Interoperability: Verifying system performance when multiple products are connected
- Usability: Ensuring users can operate devices safely, effectively and with satisfaction
- Safety: Safeguarding against electrical, mechanical, chemical and software failures
Safety science providers and engineers, such as UL Solutions, can help manufacturers on the journey to safer and more secure medical devices, helping with everything from total product life cycle testing and risk management evaluations to EMC, wireless testing, cybersecurity and electrical safety and performance.
As it relates to regulatory compliance, this can be extremely difficult to navigate in the case of healthcare devices, as regulation differs so much depending on what country you are looking to launch in. Global manufacturers, developers and end-users can source help from design through to market release, seeking knowledge on requirements for the latest local standards, and to help keep their products compliant now and in the future.
It’s safe to say that the continued growth and evolution of medical technology isn’t slowing down anytime soon and is ultimately a great thing for industry innovation, patient care and making the lives and jobs of healthcare providers more streamlined. However, with continued growth comes more opportunities and entry points for attack and malicious activity, so cybersecurity, compliance and testing are more integral than ever. Manufacturers across the industry must ensure they are prioritising such testing from the beginning of a product’s lifecycle, which will ultimately help speed up entry into the market and ensure it’s able to stay in the market for as long as possible.
