Why we must prioritise Medical Device Security
For the past twenty years, medical testing has been mostly centralised in laboratories. Whether private or hospital-based, these labs could process dozens of different tests on thousands of samples every day. Automation and robotics provided rapid and reliable testing. It was cost-effective, and data security was tight. Medical device security was not an issue.
But the world of healthcare is rapidly changing. The latest medical technology is growing ever more portable and interconnected. Testing devices may be hand-held or strapped to the patient like an armband. A visiting doctor or nurse could be taking readings – such as glucose and blood pressure – and immediately transmit them to a hospital or surgery. Or a patient may be sitting at home and being monitored remotely. The Internet of Medical Things (IoMT) is driving a hand-held boom as technology gets smaller, smarter and closer to the patient.
The scope of connected medical devices
At a recent international Trade Show, more than forty companies promoted ‘wearable technologies’. There were wristbands and armbands for blood pressure and fertility monitoring. An earpiece could monitor five variables, including heart rate and blood pressure. A finger ring could detect atrial fibrillation. Many of these high-tech tools use Bluetooth and Wi-Fi to upload data and allow remote monitoring. Telemedicine and telehealth are driving similar connectivity, enabling doctors to see more patients more efficiently by internet links.
Primarily driven by advances in wireless communications, mobile devices, and cloud computing, IoMT has the potential to transform the healthcare industry. Near-to-the-patient testing and monitoring can deliver more targeted and personalised medicine and reduce costs.
It is relatively simple for a laboratory to ensure the security of its high throughput testing systems. They can run on a stand-alone network. Results can be delivered by paper print out. Ensuring the healthcare cybersecurity of a connected network of devices is a far greater challenge. They may be used in the home, in the doctor’s surgery, or a clinic. And they may be connected to domestic or office and clinic networks.
Healthcare systems collect and process sensitive information to make critical decisions. Cybercriminals targeting weak points can obtain unauthorised access to personal healthcare data.
Each device is a point of vulnerability in itself and device security has to be ensured for every component on the network. But often cheaper devices are aiming to push down costs so their software and hardware are often based on multiple free software or open-source utilities. Such software is often adapted, not really patched, and not well maintained.
Medical devices connected in the home regularly lack basic security features and virus protection, and because they run on a home Wi-Fi network without the security features that would be typical in a major hospital or laboratory, they are exposed. Hacking, ransomware and simple sabotage are some of the threats that unsecured devices and networks face.
Whilst we all know that our smartphone apps come with regular upgrades and patches, medical devices are not smartphones and without routine security patches. Consumers understandably want to depreciate their capital investment in a medical device over a long period, and so the vulnerabilities in these devices multiply as new threats emerge and the devices age. Medical device security must begin at the design stage and continue through to the end of the device’s working life.
IoT security challenges start when medical technology companies design and manufacture the product. Manufacturers need to create devices that have up-to-date security patches out of the box and, furthermore, have the capability to be patched after being sold. But in many cases, securing these devices is an afterthought for manufacturers. Purchasers are left to double-check that they will stand up to the challenges of today’s complex home and healthcare environments. Because once unsecured IoMT devices are placed into hospitals, the responsibility shifts to hospital IT staff and at home there is no one besides the consumer.
Protecting devices and patients
An important step is to follow the standard protocols for risk management. The international standard IEC 80001-1 (application of risk management to IT networks of medical products) provides a guide to follow. It presents a unified approach to the safety of medical devices connected to networks. You can use it as a guide for medics, technicians, and IT specialists to work together on reducing risk.
The ongoing development of security analytics can provide an extra level of support for IT staff. Cybersecurity analytics is analysing data to detect anomalies, unusual user behaviour and other threats. A network may include hundreds or even thousands of connected devices providing real-time data – too much data for individuals to process.
Analytics tools can watch and monitor network activity, looking for anything out of the ordinary. The incorporation of machine learning means that such security tools can develop a playbook of what is normal behaviour. Such security support can highlight where devices are located on the network and how they are behaving. IT departments can investigate possible security threats before they get out of hand.
Making after-sales device software updates part of the process, from the beginning, helps keep devices secure whether at home or in a hospital.
Ransomware, data breaches, and Distributed Denial of Service (DDoS) attacks are just some of the threats facing hospitals and healthcare facilities. A recent survey found that more than half of the healthcare organisations contacted had experienced a Cybersecurity threat in the previous year. The increasing use of connected devices within and beyond the hospital makes hospital networks and data even more exposed. But there are ways in which you can increase your security. It pays to protect the integrity of your systems before you get found out.
Fluffy Spider and Medical Device Security
High quality commercial software is hard. Health related software, whether on a device or in the cloud, needs to be rigorous in managing security and privacy, and a realistic software development and test regime is vital.
It is critical that companies implement processes that include secure firmware update capability of networked software whether on devices or in the cloud so that patching of vulnerabilities, as they are identified, and they will be, is possible. Security methods such as multi-factor authentication can help, more for consumer devices and services, third-party penetration testing and code auditing services should be used, and they should be measured against the relevant standards, threat models and vulnerability notifications. Device manufacturers must have someone in the organisation be responsible for security, so that they are tasked with being on top of issues and solutions as they arise.
Fluffy Spider Technologies, builds custom software solutions for the healthcare industry, from devices to the cloud. We work with MedTech companies and health services companies to develop end to end solutions that secure medical data and maintain patient privacy. If you would like to learn more about our capabilities and solutions, please get in touch.