Image source: Pixabay
Walking through a recent healthcare conference, I couldn’t help but notice the number of devices that were ‘connected’ to ease the patient/practitioner experience and extend the quality of care beyond hospital walls. This connectivity has changed how a patient is diagnosed, treated, and managed. Yet in this digital world, each connectivity point introduces a potential weakness that a growing number of attackers may try to exploit. Unfortunately, there is no single method to protect against every possible threat, but layering security from the software on a device and carrying through to hospital networks can collectively enhance the security posture of a device.
Why Medical Devices?
With an estimated 10 to 15 million devices operating inside healthcare delivery organizations (HDO) in the United States, it is clear that medical devices are an integral part of medical networks. So you may ask yourself, since most devices operate inside an HDO, doesn’t that HDO manage how the device operates?
Truth is, there are technical limitations an HDO faces when securing a device post-market. Should an HDO try to change the software on a device excessively, there is a potential to void a device warranty or to change clinical functionality unintentionally. This warranty is important for clinical functionality and ongoing vendor support as updated versions of the device software are available for patching. Therefore, the typical measures an HDO can pursue are segmenting its network based on how a device operates and monitoring device behavior on its network to potentially identify abnormal behaviors.
A hospital IT staff is typically not equipped with the expertise that’s required to identify a potential security breach and prevent it from happening. Instead, the focus is placed largely on supporting clinical needs. If there is an infusion pump that’s not operating, diagnosing the issue, fixing it, and getting the pump back to work is the critical objective. Rarely do we see an excess in cybersecurity capacity at an HDO that can work to identify, mitigate, and provide alerts on device vulnerabilities.
More than ever, devices are going home with patients and thus operating outside of an HDO network. While it may be prudent to educate the broader public on hardening their home networks, it unfortunately is not part of the existing regulatory environment for medical device operation.
Because of this, building security into the design of a medical device becomes the main medium through which security from the onset can be ensured. When a device has been robustly created to accommodate security requirements, it allows security maintenance and monitoring over its lifetime.
The Regulatory View
FDA has emphasized the importance of collaboration among healthcare delivery organizations (HDOs), medical device manufacturers (MDMs), and security researchers in tackling cybersecurity requirements in medical devices.
Starting in 2014, FDA issued guidance documentation for designing security into devices and maintaining these devices over their lifetime. This was followed in 2016 by post-market guidance that outlined device monitoring requirements.
In October 2018, the updated premarket cybersecurity guidance demonstrated the need to consider cybersecurity and a layered security approach when seeking 510(k) clearance for connected devices. .
One of the more discussed components of the updated premarket guidance (October 2018) is the proposed tiering of devices, which is intended to ‘right size’ cybersecurity requirements to risk. Interestingly enough, at a workshop held by FDA in January 2019, there were several device vendors who expressed a desire to eliminate the tiering structure and instead hold all devices to the same standard.
This commitment from device vendors to ask regulators to limit interpretability of devices is further demonstrated by the issuance of the Joint Security Plan (JSP). Public and private key stakeholders, including HDOs, medical device vendors, federal agencies, and healthcare IT vendors, collaborated to create a product lifecycle reference guide to unite the community on best practices.
What Happens in 2019?
Medical devices currently under development must be designed with cybersecurity requirements in mind. If not, devices may not receive regulatory blessings.
Those devices that are already on the market and still supported by device vendors will stand to gain market share by demonstrating a commitment to following cybersecurity requirements. Not for the sake of compliance, but for the patient safety implications of having a robust program in place.