How to overcome the cyber risks posed by medical devices

When surveyed by Cyber Security Hub, 60 percent of cyber security professionals in the healthcare field reported that they had experienced at least one cyber attack in the past 12 months. Additionally, 50 percent said the rate and volume of cyber attacks experienced had increased. 
 
As those in the healthcare field have access to both personal and private data which is a particular target for malicious actors, it is important that this data is adequately protected. As seen in cases like the Medibank data breach, which saw 9.7 million customer records stolen and private medical data shared online, the ramifications for patient data being exposed can be immense. 
 
When considering the cyber security of medical devices, how the data collected, stored and processed by these devices is protected, is a pressing conversation. In this exclusive interview, Cyber Security Hub’s editor, Olivia Powell, speaks with Charles Marrow, head of the IriusRisk Centre of Excellence in Embedded Device Security and senior lecturer practitioner in cyber security at Anglia Ruskin University, about the possible cyber risks of medical devices.

Cyber Security Hub: Could you provide an overview of the current cyber security challenges facing medical device manufacturers?

Charles Marrow: The top three industry challenges that I am seeing are data security, limited standardization of communications protocols and patient safety. Manufacturers have a responsibility to ensure data is secure, especially patient’s private data. This includes data in transit, stored data or data being processed by an application.

Generally, healthcare devices are installed in various healthcare services and connected via different interface types. These connection types can range from radio frequency connections – otherwise known as Wi-Fi or Bluetooth – to hardwired physical connections like Ethernet. Each type of connection medium has its own configuration according to the designated installation network, thus making it a complex process for the manufacturers to provide the right configuration setup during the design phase.

Patient safety is a hot topic at present and a major challenge for the manufacturers as many healthcare devices are connected to the internet and remotely accessible, widening the attack plane.

This all goes without even mentioning the cyber security specialist staff shortages across the industry.  

CSH: What does the threat landscape look like?

CM: Expect money-oriented attacks from a range of threat actors. Some typical threat vectors could include - but are not limited by any means – to remote code execution, trojans via phishing email, asset access via an untrusted network; the list goes on and there will always be a vulnerable device on the network however insignificant for the functionality of the intended purpose. The cyber artillery available for launching attacks at the healthcare industry is quite significant given the types of devices deployed in the industry.

Of course, we are not just talking about a device, we also must take into consideration the push for new developments in ‘software as a medical device’, and artificial intelligence (AI) and machine learning (ML) being integrated into the environment. We still have an elementary understanding of how these new technologies will interact with devices in their deployed environment.

CSH: How can these challenges/threats be overcome?

CM: Like most cyber security areas, there is no silver bullet. The most important defense strategy is to integrate security early on in the product lifecycle. Understanding the designated environment, identifying clear scopes/responsibilities and software capabilities of the devices will provide a preliminary security design basis to define applicable threats and their corresponding countermeasures.     
  
This saves costs later on in the product lifecycle in the case where critical updates would have had to have been deployed in the field or remotely, or in the worst case scenario a product has to be recalled. Manufacturers cannot apply all security measures due to cost and budget, not to mention the operability constraints corresponding to accessibility. Designing security embedded from the start however, allows a manufacturer to get the best picture of the security of a device and enables them to make informed choices about what security measures to take.  

CSH: How can manufacturers balance the need for robust security measures with the equally important need for ensuring their medical devices are user-friendly and accessible?

CM: I really like this question, this is something that we are all facing right now in our daily lives with technology, not just with the medical device industry. Whether it is passwords, MFA, PINs or biometrics, so many layers of protections can be cumbersome with regards to accessibility and productivity. There is a fine line between ensuring a device is accessible, user-friendly, operational and secure without reducing accessibility and productivity.

I would strongly recommend moving towards zero trust, password-free authentication and One-Time Authentication Code (OTAC) authentication. For example, OTAC provides secure authentication with a uni-directional dynamic token to overcome bi-directional limitations including high dependency on the push and pull system of network connectivity between clients and servers. This way of accessing a device would reside in the form of a functional means of authentication rather than the user being prompted for a login input.

CSH: For those in the healthcare industry, ensuring the integrity, availability and confidentiality of patient data is of paramount importance. How can manufacturers ensure that patient data transmitted or stored by medical devices meets these standards?

CM: Firstly, they should focus on identifying the intended use or purpose for the data. Data could be accessed 24/7 or only when a device is online or a critical process is running. I would recommend classification of each set of data, its expected state and secure controls applied as per the requirement.

Data can also reside in an ‘in processing state’, whereby the data is being loaded into a program or application. During this process the data may be transferred/compiled in a readable format without the applied encryption making it vulnerable or susceptible to attack. To combat this, data should be classified, appropriately encrypted and protected using industry recommended methods in all stages of the data lifecycle. 

Next, with respect to industry standards, the latest recommendations should be strictly adhered to, for example, The National Institute of standards and Technology (NIST) regularly reviews and updates the recommended minimum requirements for encrypting data and processing of such data in all states. Other standards to follow would be the IEC 62443 series, which provide a very stringent set of controls for securing devices.

CSH: What are the risks – from both a cyber security and patient perspective – posed by unsecure medical devices? Could you share a recent example to illustrate this risk of poor cyber security in medical devices?

CM: Let's go through a theoretical scenario where we know the vulnerability of a medical device.

Device: TransLogic Pneumatic Tube System 

Device function: Delivery of materials and medicine through physically networked tubes in the hospital to facility management, hospital planning, inpatient pharmacy, laboratory, nurse ward etc.

Device vulnerability (in this case multiple vulnerabilities): Use of hard-coded password, execution with unnecessary privileges, improper authentication, download of code without integrity check, out-of-bounds write.

Risks (what if): The risks include the delivery of materials to the wrong location and the delivery of incorrect medicines.

Although this is a theoretical case, some actual reported vulnerabilities of the device are of a critical score and exploitation would be relatively easy.

Serious injury or loss of life by device, system or data manipulation are all possibilities. The risks are very serious indeed and have the potential to bring critical infrastructure down. From disruption of services by ransomware freezing multiple hospitals systems and encrypting files, which is what happened in the 2017 UK NHS cyber attack on pacemakers with critical vulnerabilities, which had to have the firmware updated. To put it into context we would not expect a patient to be worrying about a health monitoring device vulnerability, even though it might have a direct impact on their health condition if normal functionality was manipulated in some form to put the patient in danger.  

Data loss and patient safety is in all our minds when assessing a device but often the boundaries between safety and cyber security are not always addressed appropriately. I would strongly recommend that cyber security risks should be reviewed with respect to safety risks during a device risk assessment. 

This should be completed in the pre-design phase and revisited regularly when the devices are updated/modified to reduce the possible associated impacts. To reduce any associated risks, you can follow a risk assessment process as described in ISO 14971:2019.

CSH: Looking to the future, what emerging technologies and/or trends do you think will impact the cyber security landscape for medical devices in the coming years?

CM: AI, ML and software as a medical device. These are in effect not cyber physical devices and would reside on a device, platform, in the cloud or a local server. There is currently little or no regulation of these and therefore may or may not be designed with security taken into consideration. There is also not sufficient attention on the topic of artificial intelligence security practices and controls in the industry in general. There are some movements from policymakers and governing bodies to make secure development processes mandatory and take security into consideration but it is slow moving.