Electronics Weekly Electronics Design & Components Tech News
As technology plays an increasing part in medical care it brings with it risks that are inherent in digitisation. They need to be addressed, especially in the case of connected medical devices.
According to research from Clearswift, 67% of healthcare organisations in the UK suffered a cybersecurity incident last year.
Connected medical products with remote access are becoming a growth area in healthcare management in hospital and community settings, but remote access systems are also a common target of cyber attacks.
This is because often some of the risks associated with remote connections (and the ability of third parties to use them) are taken into consideration.
Systems intended to meet legitimate needs, such as those that allow off‑site clinicians to access clinical data or vendors to troubleshoot systems, can be exploited for illegitimate purposes.
There are many ethical and business reasons to ensure that all digital healthcare and medical devices are thoroughly tested and secure, notwithstanding the regulatory issues. These include requirments to comply with global standards, such as the In Vitro Diagnostic Medical Device Regulation (IVDR) and the Medical Device Regulation (MDR) in the EU, as well as the regional requirements of the US Food and Drug Administration (FDA), Health Canada, China National Medical Products Administration and the Japan Ministry of Health and Welfare.
Confidentiality clauses
Privacy is extremely important for patient confidentiality – a breach would undermine the important practitioner‑patient trust and could have legal implications.
More seriously, unauthorised access to medical devices could result in death or severe injury, so manufacturers and medical device procurement teams must ensure that the technology is secure.
If they fail to ensure medical device cybersecurity, this could result in significant reputational damage for manufacturers and healthcare organisations if patient welfare is harmed as a result.
The FDA, EU and Health Canada are working on standards and guidance documents that will indicate the need to consider vulnerability scans and penetration tests during the development of medical devices.
Despite the obvious requirement for protection of data confidentiality, integrity and availability, there are still no harmonised standards for the cybersecurity of medical devices. In the absence of such harmonisation there are some that already contain guidance that relates to cybersecurity, from the US FDA and the International Electrotechnical Commission (IEC):
- UL 2900-2-1– the US FDA’s cybersecurity aid for industry and regulators
- IEC/TR 60601-4-5 – safety-related technical security specifications for medical devices (currently under development)
- IEC 80001-5-1 – the application of risk management for IT-networks incorporating medical devices (currently under development)
- MDCG 2019-16 – Guidance on Cybersecurity for Medical Devices, which is one of the most important guidelines for EU MDRimplementation.
Section 3.7 of the EU’s MDCG (Medical Device Co-ordination Group) states that the primary means of security verification and validation is testing. Therefore, cybersecurity must be based on a well-structured development and testing process.
For example, after any software changes a vulnerability scan or penetration test should be repeated, at least partly. Manufacturers must also consider security-related tests regarding the change, as well as conducting regression tests to show that the change did not have a negative effect on the cybersecurity of the device under test.
Manufacturers can conduct their own tests, but they must have the appropriate competences within the organisation. They should therefore ensure – and demonstrate – that they have enough expertise to ensure IT security in line with the state of the art.
This evidence is often most easily obtained through internal or external training, which can help manufacturers gain access to external expertise.
Documentation
While there is currently no law that requires a vulnerability scan to be done, most guidance documents indicate that it should nevertheless be conducted. It is up to manufacturers to prove due diligence – that they have taken appropriate actions to bring safe products to market. Designers and manufacturers should therefore have a good case prepared if they decide to skip it. The same applies for penetration tests.
The MDCG 2019-16 Guidance on Cybersecurity for Medical Devices document provides manufacturers with guidance on how to fulfil all the relevant essential requirements of Annex I to the MDR and IVDR regarding cybersecurity. Requirements listed in Annex I of the MDR deal with both pre- and post-market standards.
When assessing risks in accordance with Annex I of the MDR, it is important to include security issues, even in cases where security is not stated explicitly in the regulatory requirements.
During the risk management process, the manufacturer should foresee or evaluate the potential exploitation of security vulnerabilities that may be a result of reasonably foreseeable misuse.
Design requirements
The regulations now also require manufacturers to develop and build their products in accordance with the state of the art, taking into account the principles of risk management, including information security.
They must also set out minimum requirements concerning IT security measures, including protection against unauthorised access.
During the product security risk management process, manufacturers must distinguish between two important areas:
- Safety risk management normally covered in the overall product risk management
- Security risk, which is not associated with safety.
TÜV SÜD would define the state of the art as the “developed stage of technical capability at a given time as regards products, processes and services, based on the relevant consolidated findings of science, technology and experience”.
The phrase does not necessarily imply the most technologically advanced solution, but embodies what is currently and generally accepted as good practice in technology and medicine.
The state of the art described in these regulations is sometimes referred to as the “generally acknowledged state of the art”.
Home care considerations
There is an increasing demand for home care in the case of chronic conditions that require regular monitoring.
While new technology can grant patients the freedom to live at home while being monitored, many security assumptions are based on equipment being used in a hospital or clinical environment. These include:
- Control of local communications infrastructure (device communicates with bed stand or a local gateway)
- IT support
- Native protocols (unencrypted communications, as in some 2016 pacemakers)
- Knowledge about the ease with which hardware (such as firmware flashing devices) may be procured.
Consequently, there are many cybersecurity vulnerabilities within connected healthcare products as they have limited encryption capabilities. Authentication mechanisms may be lacking or entirely absent, as there is no de facto standard for authentication.
Wireless communication exposes patients to eavesdropping, especially by introducing vulnerability to social engineering at the point of service via the patients themselves, or their carers and nurses, for example.
This is where cybercriminals may use psychological manipulation to trick users into making security mistakes or giving away sensitive information. However, companies often neglect their staff’s IT security training, even though social engineering has long been a standard weapon in every cybercriminal’s arsenal.
First line of defence
While there are some standards and industry guides available globally, they are not complete and ratified, neither are they mandatory. However, these do represent a first line of defence; designers and manufacturers should first adopt a proactive, ‘secure by design’ approach to cybersecurity, recognising that attacks are a case of ‘when, not if’.
It is also vital to keep up to date with standards and regulations.
Likewise, by following developments of testing frameworks, this will provide a guided, robust and cost-effective solution, alongside participating in appropriate standards workshops (for example CEN‑CENELEC events for European standards).
Digitisation and increasing connectivity bring enormous opportunities, but also unforeseeable risks and serious vulnerabilities which can be exploited by new forms of cyber crime.
Security that is tolerant of devices that are implanted, wearable, mobile‑connected, and use public networks is paramount. It is important to remember that there are no ‘bad user behaviours’, only scenarios that the designer or manufacturer has failed to identify.
Neither should patients be expected to shoulder any additional burden for security, as it is a manufacturer’s responsibility to ensure up‑to‑date compliance with all standards and constantly review the ‘cyber resistance’ status of devices.
The internet of medical things (IoMT) has transformed modern healthcare. However, as medical devices become increasingly connected they also become more vulnerable to cyber attack, exposing the people who use them to hazards that did not previously exist.
Ongoing investment in cybersecurity is crucial to keep up with both technological developments for competitive advantage, alongside effective measures to combat hacker attacks. All digital healthcare and medical devices must therefore be thoroughly tested and secure and comply with global and regional regulatory requirements.
