Keeping medical devices safe from cybersecurity threats
There are currently 3.7 million connected medical devices in use today, and market research predicts that the Internet of Things (IoT) healthcare market will be worth $136.8 billion worldwide by 2021.
Unfortunately, the cybersecurity risk posed by these devices is also increasing, with Kaspersky Labs predicting attacks targeting connected medical equipment for extortion, disruption, and data theft will rise this year. Other experts agree that compromised medical systems and devices are a real concern.
But how much risk is really out there—and what are we doing about it? To better address the problem, industry leaders are working to clarify the risks, assess cybersecurity threats, and develop proactive prevention strategies — all while balancing patient safety, health, and privacy.
In recent years multiple connected medical systems and implantable medical devices (IMDs) have seen cybersecurity vulnerabilities revealed, sometimes in dramatic fashion.
In September 2017, the Industrial Control Systems Cyber Emergency Response Team (ICS-CERT), a department within the US Department of Homeland Security, diagnosed security issues with syringe infusion pumps used to provide medication to patients in hospitals and similar settings . The ICS-CERT report showed that a skilled hacker could alter the doses received by patients, creating a potentially deadly situation.
As more healthcare equipment goes online, machines like cardiac monitors, which monitor vitals, and devices like glucometers, which manage important levels in the body, have become great sources of medical data. However, they also are equipped with wireless sensors and connectivity apparatuses, which can be points of exposure for cyber criminals to attack.
“While connectivity opens the door for hackers, the vulnerability that allows a device to be attacked could be in one of many different components,” says Roman Lysecky, an Associate Professor of Electrical and Computer Engineering at the University of Arizona and an expert on medical device security.
According to Lysecky, the way hackers attack a device will depend on the software it is running, the hardware used, and how the device is used by healthcare providers.
Furthermore, as more smart devices are used to monitor patient health, the number of vulnerable medical devices is exploding, according to Timur Ozekcin and Sean Abraham of cybersecurity firm Cylera.
There’s an important difference between life-critical devices, including IMDs and in-hospital instruments, and smart devices that can be used to improve or monitor health but are not essential to patient safety.
That said, devices that produce data used to make a diagnosis may not be immediately life critical, but manipulating the data could lead to the physicians making an incorrect diagnosis, according to Lysecky.
Manufacturers bear responsibility for keeping their devices secure, of course, but what happens to customer data after it leaves the device? The Financial Times reports that healthcare providers often leave data traffic unencrypted, devices unpatched, and a range of cybersecurity risks otherwise unaddressed.
Shared responsibility between the manufacturer and care provider is important to establish, because it is essential to recognizing and creating an effective response to cybersecurity threats.
“Device manufacturers may be able to provide a technical solution to correct a vulnerability, but they do not have the ability to directly fix a device used by patients,” Lysecky said. “The solution requires coordination by healthcare providers, insurers, regulators, physicians, and patients.”
That responsibility begins with threat detection. Reinforcing security measures, enforcing encryption and actively monitoring devices and their behavior is key to ensuring devices are operating safely and data is secure. Beyond connections that happen in a user’s home, clinics and hospitals must also consider how they monitor, manage, and guard medical devices against cybersecurity risks.
“I believe attacks on medical devices and healthcare system will only increase in time,” Lysecky states. “Minimally, having a plan for how to respond to an attack would be good for all stakeholders.”
For firms like Cylera, achieving buy-in from healthcare organizations and regulators will continue to be important, as will ongoing efforts to stay ahead of the opposition.
“The process, the technology, it all has to be continuously updated, and the hacking community versus the healthcare side will always be trying to keep ahead of each other,” Ozekcin said.
For Lysecky and his team, the ultimate goal of their current work is to create medical devices that automatically mitigate attempted hacks or malware.
The team is concerned with two different scenarios: In the first, an attacker attempts to exploit a vulnerability in a device that is publicly known and has not yet been fixed. In the second, the vulnerability is not yet known to the device manufacturer and could lead to a so-called “zero-day” attack.
To combat these threats, Lysecky and his team are working to develop IMDs capable of detecting threats or malware automatically, without depending on the manufacturer to identify a vulnerability.
“Some of the research we’ve already done is quite mature and could be transitioned to medical devices in a short time frame,” Lyseck says. The team believes a runtime malware detection method it has developed could be integrated into medical devices being developed now.
That said, automated mitigation methods the team is developing more research. But “with sufficient interest, motivation, and funding from the medical device industry,” he believes that technology could be incorporated in medical devices within three to five years.
Regulation historically lags behind technological innovation, particularly in industries like healthcare, but a balance needs to be struck between advancing technology and ensuring patient safety, according to Lysecky.
He suggests two simple things regulators can do: One is to define how device manufactures must disclose and respond to vulnerabilities, and the second is to require manufactures to consider security as a fundamental requirement of any new medical device.
The Cylera execs agree that balanced regulations will be critical to avoiding a chilling of innovation. “You don’t want to impede the medical device companies with too much regulation if they’re producing very clinically relevant devices,” Ozekcin points out. “If there’s excessive regulation… it’s harder to get on the market. Certainly the FDA is there to get as many good, clinically important devices out there, as safely as possible, so I think that’s an interesting dynamic.”
There’s no question that balancing patient safety, health, and privacy with reducing cybersecurity risk is a challenge. However, more accurate risk assessment and proactive prevention are the critical first steps in this process.
Moving forward, cybersecurity will become another vital component of patient health, given the risks posed by lack of security and the benefits of connected medical devices.