5 Keys To Protecting Your Medical Device From Cybersecurity Threats
By Jim Pomager, Executive Editor
When designing medical devices, it’s easy to miss the forest for the trees.
In this nascent era of connected healthcare, devices must be evaluated in a much broader context than simply a series of discrete patient engagements. They should be viewed as the basic building blocks of a massive national biomedical device network, one that undergirds our nation’s entire healthcare infrastructure. That infrastructure consists of everything from the level of individual clinics, to hospitals, to health systems of multiple hospitals, to communities of health systems.
The integrity of this national healthcare backbone is ultimately dependent on our ability to sustain the device network that lies beneath it. And the best way to do that is to ensure that each digitally enabled device in the network is designed and manufactured in such a way that it operates — and interoperates —both reliably and securely. However, security has only recently become a priority for device makers, says Dale Nordenberg, M.D., executive director of the Medical Device Innovation, Safety, and Security Consortium (MDISS) and moderator of a panel at AdvaMed 2014 (Chicago, Oct. 6-8) called Medical Device Security: Market-Driven Improvement for the Medical Device Industry.
“When one looks at the issue of medical device security, it becomes very apparent that medical devices historically have not had security sufficiently or robustly designed in as a part of the development process,” Nordenberg told me during a recent phone interview. “The consequence is that the most vulnerable devices on a hospital IT backbone today are the medical devices, and those medical devices are directly responsible for patient care.”
As a physician and a medical epidemiologist, Nordenberg suggests looking at the medical device security issue from a public health perspective, taking three criteria into consideration:
1. How broad is the exposure? “When we look at medical device security three years ago when MDISS was being formed, we learned that there are over 1 billion patient engagements per year in this country,” he said. “We can surmise that basically all of those include an encounter with a digitally enabled, networked medical device, whether it’s wired or wireless.” That figure doesn’t even take into account situations like extended stays in intensive care units, where the exposure to medical devices is almost unlimited. That means there are billions of encounters per year between patients and digitally enabled medical devices.
2. How potentially adverse is the impact? If your home computer is infected by malware, there are often adverse consequences. The computer stops working properly. If a medical device is more vulnerable than home computers— and we know for a fact that medical devices are getting infected and hacked — the consequences can be far more serious. For example, what is the impact of a radiation-emitting device like a linear accelerator or an infusion device like an insulin pump failing? “If devices that push important and impactful medications or radiation into a person are not calibrated correctly or are not working properly, then one could imagine the adverse event would be very serious,” Nordenberg explained. “We need our medical devices to work as per their specs; otherwise, we should all be very concerned.”
3. How preventable are the adverse outcomes? “When you take a step back, you can really imagine that if medical device manufacturers, healthcare systems, government agencies, and other technology companies come together, they could and should be able to come up with better ways to design, implement, and operate medical devices,” Nordenberg said.
Medical Device Stakeholders, Unite!
For these reasons, Nordenberg co-founded MDISS in 2011. The public-private partnership’s mission is to bring together various members of the healthcare ecosystem — to promote dialogue around the issue of cybersecurity, to better understand the risk it poses to the healthcare system, and to collaborate on potential solutions to mitigate those risks.
One of the early hurdles the organization faced was lack of awareness surrounding cybersecurity in healthcare. “Three years ago, very few people were really recognizing and acknowledging this as an issue,” Nordenberg told me. “Not one government agency had a formal program in this area.” To increase industry recognition of the problem, MDISS spoke at industry events, organized panels, wrote white papers, and conducted a great deal of outreach. Today, the Food and Drug Administration (FDA), Department of Health and Human Services (HHS), Department of Homeland Security (DHS), and National Institute of Standards and Technology (NIST) all have established activities in medical device security.
Another challenge for MDISS was getting the various players in the healthcare space to see eye-to-eye. “There was a lot of tension between key stakeholders about whether or not this problem existed, who would admit it, and who should fix it,” Nordenberg said. “Over time, we have been able to convene and cultivate a culture of collaboration that has really helped medical device companies understand the risks and requirements in a way that most — if not all of them — have now implemented programs around designing security in from the beginning.” Healthcare systems have also started to step up, moving from last-generation best practices to current ones, in order to secure their digital health infrastructure.
Now that MDISS has built consensus around the role stakeholders can play in helping to solve the cybersecurity problem, the organization is working to codify best practices and share them with the industry at large. For example, MDISS members are adapting IEC 62443-2-4, a security standard for industrial automation and control (which the FDA recently recognized as a standard of interest), to the healthcare and medical device world. The organization has piloted the adaptation and is in the process of completing the integrating and operating components. Nordenberg hopes that the document will be released for public review by the end of 2014.
MDISS is also working with the Center for Internet Security (CIS) to develop benchmarks for operating systems used in medical devices, in order to optimize their security. The organization is also exploring the application of encryption on legacy medical devices, and has written a white paper on the issues related to patching and updating medical devices through their lifecycles.
5 Security Best Practices For Medical Device Manufacturers
Given the potential magnitude of the medical device cybersecurity problem, what should medical device companies be doing today to protect their products, the national healthcare infrastructure, and patients? Here’s what Nordenberg recommends:
1. Get the healthcare system perspective. Speak with a broad spectrum of healthcare systems to understand the full scope and complexity of the security problem they face when attempting to integrate so many devices in a complex IT network. “Devices are built in isolation — they are built in a laboratory, for all intents and purposes — but then they are released into the wild,” Nordenberg said. “Healthcare systems can have thousands or tens of thousands of devices, so understanding their challenges is a key issue.”
2. Stay current on government recommendations. You should be up-to-speed on the FDA’s guidance on cybersecurity in medical devices, HHS’s Food and Drug Administration Safety Innovation Act (FDASIA) framework for health IT, and information coming out of the Office of the National Coordinator’s (ONC’s) Health IT Policy Committee. “Manufacturers should be acutely aware of the fact that patient safety, vis-à-vis medical device security, medical device interoperability, and broader HIT adoption, is emerging very rapidly,” Nordenberg explained. “They should be aware of that focus and what is emerging to support that capability.”
3. Implement a risk-based process for designing security into your devices. Your security profile should be well-documented so it can be shared with health systems. Nordenberg recommends completing Manufacturer Disclosure Statement for Medical Device Security (MDS2) documents and sharing them at the time of procurement. MDISS is also working with NIST on the Medical Device Risk Assessment Platform (MDRAP), which builds additional operational questions onto MDS2 to help manufacturers and healthcare systems better understand the security profile of their devices.
4. Apply established security testing frameworks. Medical device manufacturers should conduct multiple types of security testing before releasing a device to ensure they have identified — and mitigated — as many security vulnerabilities as possible. In its draft guidance, FDA recommends the use of fuzz testing (and MDISS has published a white paper [PDF] on the technique). Penetration testing is another common security test that should be performed on all connected devices.
5. Monitor the security of your devices post-market. You need to stay informed about how your medical devices perform in the environment after they have been hooked up. “I think that post-market surveillance around security and security vulnerabilities is something that manufacturers, particularly those that are monitoring their devices remotely, can and should be doing,” Nordenberg said. “And ideally sharing what they are learning with entities like MDISS, so we can work together to learn and improve.”
The Future Of Medical Device Security
Today’s medical device cybersecurity environment is out of sync, Nordenberg believes. “We have an innovation imbalance between how quickly we can build new innovation into devices, versus how quickly we can build in new security capabilities,” he explained. “And then we have a big imbalance in how quickly we can implement new security capabilities, because medical devices have a long lifecycle and are difficult to modify once they are approved by the FDA and are on the network.”
As a result, he foresees a future in which devices can be more efficiently monitored and updated — not just patched. This will likely involve changing the way devices fundamentally connect to a network. It will also mean effectively segregating the networking and healthcare components, so you can manage the networking component of a device without affecting its healthcare capabilities.
“We are going to see medical devices designed in such a way that they interoperate and the way they connect to the network can be manipulated, modified, and configured efficiently without changing the healthcare function of the device,” Nordenberg said. “That doesn’t exist today.”
The time is also coming, he added, when all manufacturers design security into their devices from the outset, when encryption becomes standardized on devices, and when whitelisting emerges as an important security capability. He also thinks the standards around medical device security that are just starting to emerge will become easier to adopt, both at the point of manufacture and at the point of operation.
On the other side of the equation, Nordenberg expects that healthcare systems will recognize that cybersecurity responsibility has new urgency because of medical device security risks. “With the massive adoption of digital health capability comes the responsibility to adopt new best practices,” he said. “So we are going to see healthcare systems focus on safety and security and not just privacy and security. That will be major inflection point.”
Finally, and perhaps most importantly, he thinks that device makers and healthcare systems alike will increase the focus on security vulnerabilities and incidents in post-market surveillance — something that hasn’t happened historically. “We will get more effective at understanding the risks epidemiologically, we will get more effective at identifying when a security event occurs, and we will get more effective at understanding when a security event impacts a patient,” Nordenberg concluded. With this information in hand, healthcare industry stakeholders will be better equipped to secure the next generation of medical devices — and the billions of encounters they will have with patients — from cyber threats.