Cybersecurity For Connected Medical Devices

February 8, 2019

The IoT healthcare market is projected to grow from USD 41.22 billion in 2017 to USD 158.07 billion by 2022, representing a compound annual growth rate of more than 30%. Healthcare providers use a wide range of connected medical devices to provide better patient outcomes through more closely monitoring patient conditions. However, as components of such devices and the links between them become digitized, they also become targets for cyber attack.

The threats to medical IoT devices are quite real. Wired magazine reports that Johnson & Johnson warned customers about a security bug in one of its insulin pumps last fall. St. Jude Hospital has spent months dealing with the fallout of vulnerabilities in some of the company's defibrillators, pacemakers, and other medical electronics. In a recent investigation of new generation implantable cardiac defibrillators, British and Belgian researchers found security flaws in the proprietary communication protocols of ten ICDs currently on the market. And just recently, the US government put out an alert over a critical flaw affecting scores of Medtronic heart defibrillators that allows a nearby attacker to change the settings of a patient's cardiac device by manipulating radio communications between it and control devices.

Medical device security has become a much bigger concern for healthcare organizations since ransomware attackers began using vulnerable medical devices in their attack campaigns. While the potential is there for attackers to use medical devices to harm patients, such occurrences are rare. Rather, it’s much more likely that device security vulnerabilities are being used to gain access to the corporate network to steal data or deploy ransomware. Nevertheless, healthcare organizations are concerned that the medical devices remain “clean” and perform as expected.

According to a recent study by Frost & Sullivan, “Patient Safety in Healthcare, Forecast to 2022,” cybersecurity in medical devices will be one of the top areas of investment in the healthcare industry over the next five years. There is a heightened need for security solutions that can protect against unauthorized access and cyber attacks of connected medical devices to help assure patient safety.

Many patients assume that security is inherent in their medical devices. According to the Irdeto Global Consumer IoT Security Survey, 90% of consumers expect security to be built into IoT devices, and more than 70% of survey respondents are ready to pay for security measures. Unfortunately, security is sometimes an afterthought, even for devices in extremely sensitive use cases.

Changes in Regulation Pertaining to Medical Device Security Measures

Historically, healthcare has been slow to implement disruptive technology tools that have transformed other areas of commerce and daily life. One factor that’s been cited for this lag is the regulation that accompanies medical products. Until recently, the US Food and Drug Administration (FDA) has required strong oversight of even small software updates proposed for medical devices. As noted in the Medical Access Innovation Plan, this restriction has been lifted, and device manufacturers are now permitted to make small incremental firmware updates as needed to keep their products at peak performance. However, this policy change has created an absolute need for automation and orchestration of the updates in a very secure manner.

Consider the scenario of firmware updates for, say, an ultrasound machine. The traditional method of updating such a machine is to send a technician to physically visit each machine to perform the update. A device has to be taken out of service for the time it takes to make the update—perhaps an hour or more. Revenue is lost when the machine isn’t available to serve patients. What’s more, the ultrasound machine manufacturer might have hundreds of thousands of these units in the field that require an update. And now that software updates are permitted more often by the FDA, this update process might take place monthly, or even more frequently, if needed.

The manual device update process is unsustainable and not feasible going forward. Firmware updates must be automated and orchestrated from a central location, without a need to physically touch the devices, and the entire process must be secure to prevent malware injection during the process. What’s more, the process must be quick in order to reduce downtime of the medical devices.

Other Recent Developments Pertaining to Medical Device Security

The National Institute of Standards and Technology (NIST) has issued detailed guidelines on Securing Wireless Infusion Pumps in Healthcare Delivery Organizations. As a reference document, the design advice basically can be applied to any type of medical device. Among other things, the NIST document makes reference to establishing a product lifecycle management program as part of a holistic approach to managing risks associated with infusion pump deployments—and by extension, to other medical devices.

The FDA now offers a voluntary cybersecurity certification that select device manufacturers can undertake. Known as the Pre-Cert for Software Pilot Program, the test program enables the FDA to develop a tailored approach toward this technology by looking first at the software developer or digital health technology developer, rather than primarily at the product (as is currently done for traditional medical products). This pilot will help FDA establish the most appropriate criteria for standing up a firm-based pre-certification program for these new tools.

In recent news, the FDA says it will better integrate the review of cybersecurity in the agency's processes for premarket assessments of medical devices. The agency says it has already taken steps "and is committed to ongoing proactive efforts to promote a multi stakeholder, multifaceted approach of cybersecurity vigilance, responsiveness, recovery and resilience that applies throughout the lifecycle of medical devices."

And in early October, the FDA announced that it is preparing an update to premarket guidance for medical devices that would recommend that manufacturers provide a list of internal hardware and software to help providers respond to cyberattacks. This is something Cybeats already addresses by providing manufacturers with a software bill of materials.

How Cybeats Serves the Medical Device Industry

Medical device manufacturers have a moral obligation as well as a business responsibility to ensure that their products are free from vulnerabilities, protected from malware, and safe and effective for use by medical providers and patients throughout the product lifecycle. This is where Cybeats can help.

Cybeats protects network-enabled medical devices throughout all phases of their lifecycle. Using secure micro-agent technology embedded in each device, Cybeats is able to:

  • SECURE new medical devices to ensure they are without vulnerabilities before being deployed
  • PROTECT those devices from known and unknown threats providing advanced EDR solution once they are deployed
  • IMPROVE the devices by orchestrating the distribution of updated firmware when needed
  • MONITOR the health of the devices in the field proactively providing alerts in regards to software failures such as memory leaks
  • ANALYZE the cyber-kinetic metrics of the devices and respond to the physical world behavioral anomalies

Cybeats software is embedded into devices to provide continuous protection, allowing devices to instantly detect usage abnormalities as well as the most sophisticated threats; block them to prevent harm; and gather intelligence to help neutralize the threats and provide device health telemetry to the manufacturer. Once the manufacturer updates the firmware to eliminate vulnerabilities, Cybeats automatically distributes it to all devices in the field to make them “healthy” again while minimizing downtime.

This lifecycle protection allows medical providers and their patients to benefit from the value of connected devices and equipment without increasing their risk profile.