Qmed Staff

July 29, 2016

5 Min Read
How Can OEMs Respond to the Threat of Medical Device Hacks?

Wireless protocols and standards are urgently needed to protect medical devices from data infringement.

Mike Kanis

Cybersecurity is a critical issue for individuals, businesses, industries, and entire nations these days, and data vulnerability is alarmingly real. Breaches of every scale are reported in the news on a regular basis, usually tied to financial information stored by retailers and banks. The world is going digital in all aspects of modern life, from banking to social networking, fitness tracking, politics, market research, news curation, communication, and just about anything we do or touch in the course of a day. While it offers tremendous convenience, data sharing over the Internet also opens the door to risk.

In healthcare, digital communications are used to monitor patient statistics. Most medical devices that collect data are going home with patients; many of these are capable of transmitting data over the Internet. Pacemakers, insulin infusion devices, and wearable heart rate monitors are familiar examples. Patients use their tablets, cellphones, or other connected devices to upload the data to the Internet, where it can be stored or transmitted to their health care providers. The benefits include accurate and timely reporting, time savings on both sides, and cost mitigation by reducing the necessity for office visits. However, the Internet connection presents a security risk when information goes out into the ether. The threats can be mitigated using existing encryption and safety technologies, but many experienced hackers know how to break into those systems and extract personal data.

As healthcare becomes increasingly interconnected, it's only natural that medical devices will become targets for attack by unrelenting cybercriminals.

Contending with the Burdens of Change

Stolen data presents an obvious threat to individual privacy, which alone is enough to cause concern. But what if hackers were able to not only view data, but also change it--or worse yet, to manipulate device controls? What was once a foreign notion has become immortalized in pop culture, with a politician's pacemaker being hacked in an episode of a popular drama series on Showtime. Reality check: That particular scenario is currently implausible because pacemakers operate wirelessly in a near field using proprietary software and an interloper would need a code to break in. But it does raise the question of when a Hollywood fantasy becomes a medical device developer's worst nightmare. 

Clearly, the medical device and healthcare industries need a proactive plan to combat cyberattacks that could compromise wireless devices' accuracy, safety, and security. While the need has been on the industry's radar for years, regulatory action moves slowly compared with the development of new decryption schemes. It's a tortoise-and-hare scenario with potentially dire consequences.

The fact is, establishing cybersecurity standards for medical devices is remarkably complicated. Besides the usual IT challenges, medical devices are tightly regulated. Their design and operation are approved by FDA for specific uses before they can go to market, and changes can't be made without submitting for time-consuming reapproval. Hackers work quickly to find and exploit vulnerabilities, creating fresh avenues of access to the data they want. The opposite is true of regulatory approvals, which go through a slow and laborious process. Modifications can't be made quickly enough to stay ahead of rapidly evolving intrusion techniques.

Fitting the necessary power inside a device to operate effective security programs presents additional challenges for design engineers. In particular, implantable devices are trending toward smaller sizes while incorporating more and more complex electronics--a feat that becomes more complicated as additional layers of security are introduced.

Adopting New Rules of Engagement

All of the data technology in medical devices was once proprietary, but today the industry is moving toward establishment of standards-based communication systems. As technology advances, wireless protocols and standards are urgently needed to protect medical devices from data infringement. FDA has struggled with defining its role in addressing this issue; development of IT protocols is not within FDA's customary purview, and the agency hasn't yet reached a practical conclusion on its authority or desire to regulate data management aspects of medical devices.

FDA explains its current position this way:

"Because cybersecurity threats cannot be completely eliminated, manufacturers, hospitals and facilities must work to manage them. There is a need to balance protecting patient safety and promoting the development of innovative technologies and improved device performance."

Medical device manufacturers and healthcare facilities are encouraged to become familiar with the National Institute of Standards and Technology voluntary cybersecurity frameworkand to work together on managing cybersecurity.

Different degrees of processes exist that can potentially alleviate the threat of a security breach into a newly developed medical device. Potential threat modeling, a traceability matrix, is designed to define all potential security issues with a device under development. This allows for selection of clearly defined requirements with regard to design inputs related to security issues.

The next step is to develop software architecture with remediation activities that eliminate separate or even compound security risks. FDA guidance suggests that these activities be considered during development of devices that are subject to Internet security risks.

Finally, developing protocols for penetration testing of devices at all stages of development is essential to demonstrate that the mitigation efforts are working. Tests such as these are designed to probe the software security at different levels.

Right now, a clear path forward is undefined. It is hoped that FDA will eventually issue guidelines, whose scope and specificity remain to be seen. Meanwhile, it is incumbent on medical device designers and manufacturers to stay on top of the issue and build the best safeguards possible into their products.

Mike Kanis is a sales engineer with Proven Process. Reach him at [email protected].


Sign up for the QMED & MD+DI Daily newsletter.

You May Also Like