16 Mar 2017
Digital healthcare ‒ addressing cyber security risks for medical devices in the digital age
By Timothy Webb, Sumer Dayal
Addressing cyber security threats in medical devices proactively will help mitigate the risks associated with the rise of these technologies.
Healthcare, as with most sectors, is becoming increasingly digitised in the modern age. This presents both opportunities and risks for healthcare systems ‒ in particular, the cyber security of medical devices that employ wireless technologies and software.
Recently, the Australian Therapeutic Goods Administration (TGA) and the United States Food & Drug Administration (FDA) have actively addressed this issue. The TGA had previously noted the possibility of unauthorised users gaining remote access to Hospira's Symbiq Infusion System and LifeCare PCA3 and PCA5 Infusion Pump Systems, while both regulatory bodies have turned their attention to potential vulnerabilities in implantable cardiac devices.
As the FDA has noted, the same features that expose a medical device to cyber security threats also improve health care and increase the ability of health care providers to treat patients. For example, systems that wirelessly connect to and receive the data stored on a patient's cardiac device and send it to his or her physician(s) via a healthcare network demonstrably improve a physician's ability to provide patient care, but raise their own risks of intrusion.
The question then is one of balance ‒ how do manufacturers implement wireless technology to create better healthcare systems while safeguarding against cyber security threats?
"A shared responsibility"
The TGA and FDA recognise that the onus of mitigating and managing cyber security threats is shared across health care facilities, patients, providers, and manufacturers of medical devices.
In particular, medical device manufacturers and health care facilities should take steps to mitigate the risk of cyber security vulnerabilities and maintain proper safeguards throughout the lifecycle of the medical device.
In the premarket stage, the FDA's "Content of Premarket Submissions for Management of Cyber security in Medical Devices" Guidance recommends that manufacturers should:
- identify assets, threats, and vulnerabilities, and assess their impact on device functionality and end users/patients;
- assess the likelihood of a threat and of a vulnerability being exploited ‒ this can be achieved by using cyber security vulnerability assessments tools or similar scoring systems;
- determine risk levels and suitable mitigation strategies;
- assess residual risk against an appropriate risk acceptance criteria;
- limit device access to trusted users through the use of authentication programs, timeouts, layered authorisation privileges (eg. caregiver, system administrator) and lockouts; and
- restrict software of firmware updates to authenticated code and ensure that the data can be securely transferred to and from the medical device (eg. via encryption).
Similarly, the FDA's "Postmarket Management of Cyber security in Medical Devices" Guidance recommends an "Identify, Protect, Detect, Respond, and Recover" strategy (ie. the NIST Framework) in the post-market stage. Manufacturers should implement measures such as:
- monitor cyber security information sources for identification and detection of vulnerabilities and risks;
- monitor third party components for new vulnerabilities through the device's total product lifecycle;
- implement features that detect and log security compromises and develop appropriate actions to be taken on the detection of a security event;
- promote "good cyber hygiene" through updates and patches to the device to strengthen cyber security and account for identified vulnerabilities and risks;
- adopt industry standards when responding to security vulnerability handling (eg. ISO/IEC 30111:2013) and coordinated disclosures (eg. ISO/IEC 29147:2014); and
- collaborate - the sharing of cyber risk information and intelligence within the medical device community can be effective in the adoption of proactive rather than reactive approaches to cyber security.
For its part, the TGA advises that medical device sponsors and owners should perform risk assessments by examining the clinical use of the medical devices in their host environment.
A matter of vigilance
Cyber security risks are part and parcel of technological advancements. Whether service providers or end users, all stakeholders that engage in proactive rather than reactive measures will be in a better position to mitigate cyber security risks associated with such technologies.
For manufacturers, employing processes to "identify, protect, detect, respond and recover" will help keep the cyber security risks of their devices to a minimum. Ultimately, collaboration across all levels of the product's lifecycle will ensure that the benefits of technological advancements in medical devices will outweigh the risks that they may present.