In recent years, television shows and movies have memorably portrayed incidents involving hacked medical devices and artificially intelligent medical equipment harming unsuspecting patients.1 Although these story lines are often exaggerated, the underlying threat is real. In fact, the frequency and severity of medical device risks are escalating as devices proliferate and cyber attackers turn their attention to vulnerable environments.
Medical devices represent a ripe target for cyber threats due to a combination of two factors:
– New technology-enabled, networked, and interconnected medical devices are being introduced. These advanced devices increase clinical effectiveness, but open up new attack vectors and cyber risks.
– Despite these innovations, there are still a significant number of older medical devices in use today. These are often not secure, and poorly managed.
The industry is not in the dark about these problems. According to a 2015 KPMG LLP (KPMG) report, 32 percent of health care organizations surveyed consider medical device security to be their top information security concern.2 This apprehension is more than justified. A compromised or sick medical device, e.g., one infected by malware, can potentially shut down hospital operations,3 reveal sensitive patient information to unauthorized persons,4 compromise connected technologies, or harm patients.
The current state of vulnerable medical devices is unacceptable and requires an immediate, industrywide call to action. In order to address ever mounting cybersecurity threats, organizations must take a programmatic approach to identification, mitigation, and remediation of risk. The approach we recommend is fundamentally different from the current state approach. It requires all parties (from manufacturers to health care providers) to communicate and work in collaboration to actively identify cyber risks and related threats, plan for mitigation and remediation, and ensure the ongoing safety and security of patients.
KPMG’s 2015 cybersecurity report found that 81 percent of health care organizations surveyed have been compromised by a cyber attack in the last two years.5 This is due in large part to the value of health care information on the black market, which carries an estimated value of ten times credit card information.6 More recently, cyber attacks at health care organizations have involved “ransomware,” whereby threat actors use malware to encrypt information in compromised environments and demand digital currency to unlock information and restore operations.7 In addition to the recent wave of ransomware attacks, medical device companies and health care organizations face a wide variety of cyber threats, which vary in sophistication and include:
Medical devices in their current state are often vulnerable to cyber attacks, and may contribute to the likelihood that not only the device itself, but critical health care services or an entire organization, will be compromised. This is due to inadequate cybersecurity practices and governance across the life cycle of most medical devices, including:
The bottom line with respect to cybersecurity threats is that any device configured to connect with another device is at risk of an attack. These risks will only escalate in number and severity as organizations and consumers adopt the “Internet of Things”;10 introduce wearable technologies into their everyday lives; continue to take advantage of smart computing devices such as portable electrocardiogram monitors, continuous glucose monitors, and wearable defibrillators; make further use of big data capabilities; and transmit patient data to different sources over multiple networks.
Governments, health care industry advocates, medical device manufacturers, and patients have been concerned with cybersecurity for quite some time. In 1976, the U.S. government required medical device and diagnostics manufacturers to follow quality control procedures to ensure device safety and effectiveness. In 1990, the U.S. government passed the Safe Medical Device Act, requiring providers to report medical device incidents to the U.S. Food and Drug Administration (FDA). (Note: This Act did not address cybersecurity incidents.) In 2014, the U.S. FDA enhanced the safeguards put in place by the Safe Medical Device Act by including the recommendation that medical device manufacturers fully identify and understand cybersecurity risks.11 In early 2016, the FDA issued draft guidelines for medical device manufacturers that call for cyber threat intelligence sharing.
The FDA’s more recent guidance stipulates that an effective cybersecurity risk management program is necessary at both the premarket and postmarket stages, and suggests that medical device manufacturers apply the National Institute of Standards and Technology (NIST) Framework for Improving Critical Infrastructure Cybersecurity.
The FDA also appeals to and incentivizes medical device manufacturers to practice cyber threat intelligence sharing via an Information Sharing and Analysis Organization (ISAO) and Information Sharing and Analysis Centers (ISACs).
Many organizations have a multistakeholder team responsible for medical device cybersecurity. This often includes corporate IT; product security; product engineering; research and development; risk; legal; compliance; and trusted third parties. The problem is that many different policies, procedures, and controls are referenced when making design, control, and governance decisions, and there is no lead owner to mediate among them.
We recommend that organizations adopt a “one-policy” view of cybersecurity. This policy should be based upon a thorough evaluation of the specific cyber threats to a medical device manufacturer, including threats to its products, business processes, supply chain, IT infrastructure, software development, and relationships with third parties. We use the ISO/IEC 27005 Information Security Risk Management standard12 to guide stakeholders through the threat identification and analysis process.
As with most initiatives, organizations are best served by identifying what is at risk and then steering their investments to support a risk based approach. This requires that medical device manufacturers identify and prioritize cybersecurity threats to their product portfolios. To do this, organizations need to employ a number of review and assessment techniques that include statistical and dynamic code analysis; vulnerability assessments; penetration tests; gap assessments; key control testing, and more. Further, organizations should collect and analyze threat intelligence to substantiate existing and emerging threats.
Many organizations do not have a strategy for identifying, remediating, and sustaining medical device cybersecurity capabilities. We advise a “crawl-walk-run” maturity development campaign that starts with the aforementioned “where-to-start” model.