Medical Device Cybersecurity Throughout the Product Life Cycle

By: Thomas Maeder, Industry Analyst, Axendia

“The United States faces persistent and increasingly sophisticated malicious cyber campaigns that threaten the public sector, the private sector, and ultimately the American people’s security and privacy,” begins the May 2021 presidential executive order on improving the nation’s cybersecurity.  Recent crippling cyberattacks on the Colonial pipeline and JBS Foods, and the SolarWinds and Microsoft Exchange hacks, among others, have painfully highlighted the fragility of the information and operational technologies on which the modern world so heavily relies. 

Cybersecurity in Healthcare

Few sectors are more critical, more vulnerable, or more attractive to cybercriminals than healthcare, where there is life or death urgency to resolve problems quickly and where confidential patient information has high market value.  Attacks on healthcare facilities have steadily risen: reported breaches increased from 386 in 2019 to 599 in 2020In October 2020 an attack on the UVM Health Network infected 5,000 computers.  The resulting system outage lasted for more than forty days, cost $63 million to resolve, and forced the reassignment or furlough of 300 workers unable to do their jobs.  In April 2021 many hospitals postponed radiation therapy for cancer patients when a cyberattack on the software provider blocked doctors from necessary treatment information.  A September 2020 malware attack on Universal Health Services caused an eight-day network outage, forcing hundreds of US healthcare facilities to resort to paper records.  Ransomware attacks cost the healthcare industry an estimated $21 billion in downtime in 2020 through attacks on 600 hospitals and clinics, affecting 18 million patient records.

 In February 2021 alone, 45 hacking, phishing, or ransomware attacks on healthcare facilities were reported to the Department of Health and Human Services.  During the pandemic, hackers targeted the World Health Organization, COVID testing sites, and vaccine supply chains.

In addition to demanding ransoms from hospitals whose patients’ lives are at risk, healthcare data has high black market value.  Credit reporting company Experian estimates that while credit card information is worth up to $110, a patient record has a value up to $1,000.  In February 2021 alone, one cybercriminal posted a Dark Web ad offering to sell a database of 50,000 hospital e-mail addresses, phone numbers, and passwords, while another offered 500,000 patient records.

Medical Device Cybersecurity

Medical devices themselves are vulnerable to attack.  Those with wireless connections for data transmission or updates could potentially be reprogrammed, causing harm to patients. Devices also offer broader possible risks.  Cyberattacks on hospitals commonly rely on phishing e-mails, malware, distributed denials-of-service, and other approaches used to target any industry.  Many medical devices, however, are connected to the internet or hospital networks, or communicate information to other devices and could serve as portals to enter a hospital’s IT network.  An FDA official states, “While we are not aware of any use of medical devices to gain a foothold in enterprises, it’s certainly possible if the devices do not follow FDA pre-market and post-market guidance, especially given that legacy medical devices pre-date much of the recent advances in pre-market medical device security approaches.”

Regulatory Position on Medical Device Cybersecurity

FDA recognizes that protection from cyber intrusions is part of the safety, effectiveness, and risk profile of a medical device, and has issued multiple guidance documents on premarket cybersecurity practices to manage security, functionality, and safety.  Manufacturers should identify threats and vulnerabilities and their potential impact on end users and patients, and as part of their quality and risk management processes determine likelihood and severity of harm, and develop appropriate risk mitigation strategies.  These apply both to custom software and to third-party off-the-shelf software that may be incorporated into the device.  Third-party software poses particular risks because vendors do not always provide full information on their software, support for which may lapse before the anticipated device end-of-life.  Protection against cyber threats must be weighed against desirable access, convenience, or interoperability.

Software threats are not always due to external malicious attacks, but may come from inadvertent misuse.  There are reported cases of visitors plugging cell phones into USB ports of patients’ bedside infusion pumps, and an anesthesiologist attempting to charge his iPhone from the port on an anesthesia system monitor caused it to reboot during surgery  and personal communication from ECRI .

Manufacturers can build security into devices from the start, including data encryption, user verification, behavior monitoring, and other strategies, and through a comprehensive Software Bill of Materials (SBOM) make it easier to track emerging vulnerabilities in third-party software, but once a device leaves the plant it becomes a legacy device that will need updates and patches as new threats evolve.  It is important to design devices that will allow upgrades as needed.

Ongoing Security Requires Collaboration

Mitigating cybersecurity risks to healthcare requires collaboration between device manufacturers and provider organizations.  Hospitals have many thousands of different types of devices.  The challenge of knowing where they all are and matching recalls, safety alerts, and patch implementation to them is a massive logistical task.  Whereas most businesses can shut down their IT systems overnight for upgrades or patching, a hospital responsible for round-the-clock life or death care cannot do so.

FDA has issued a draft guidance on manufacturers’ ongoing responsibility to monitor and model risks and take steps to mitigate them, whether through patching or notification to customers of the cybersecurity vulnerability and its potential impact. 

A practical challenge that complicates the collaboration between device manufacturers and provider organizations is the disparity between their respective concepts of end-of-life.  Devices may continue to function and be clinically useful long after their manufacturers actively support them.  Hospitals then must bear the financial cost of replacing perfectly functional equipment, or develop compensating controls, such as removing devices from networks or limiting access.  As FDA points out, some of the most risky devices are older models that seem deceptively safe because they have never had problems, but that were designed prior to the most up-to-date cybersecurity principles.

Particular challenges exist with home use devices incorporating software, as it may be difficult to identify and notify end users.  With the growing trend toward shifting care to a home care setting when clinically feasible, home use devices can include relatively high-risk devices such as infusion pumps, hemodialysis machines, and ventilators.  This ever-expanding Internet of Medical Things offers additional potential points of system entry, as does the use of telemedicine, which grew explosively during the pandemic.

Reporting Cyber Breaches

A critical component to halting or mitigating cyberattacks is the systematic reporting of attempted or successful breaches to data repositories available to all.  All states require public and private organizations to notify individuals of security breaches that release personally identifiable information.  The Office for Civil Rights (OCR) oversees breach notifications if health information is involved.  The U.S. government’s Cybersecurity and Infrastructure Security Agency provides various services and safety alerts.  The Health Information Sharing and Analysis Center (H-ISAC) offers peer-to-peer sharing of threat intelligence and attack mitigation strategies. Depending upon the type of attack, manufacturers and facilities can notify the FBI

Conclusion

Maintaining the security of medical devices and health IT systems against cyber attacks requires constant vigilance and collaboration between manufacturers and healthcare facilities.  Reporting and monitoring of emerging threats and vulnerability of both custom and third-party software enables manufacturers to develop patches and hospitals to implement compensating controls when needed.  Healthcare facilities should assess the risk of connected devices and especially legacy devices not designed for adequate security or no longer supported by manufacturer updates, and should develop and continuously update cybersecurity strategies and rehearse emergency preparedness procedures and contingency plans before an attack occurs. 

Contact Research@axendia.com to schedule an Analyst Inquiry on this topic.

Related Reading:

The opinions and analysis expressed in this Briefing Note reflect the judgment of Axendia at the time of publication and are subject to change without notice. Information contained in this document is current as of publication date. Information cited is not warranted by Axendia but has been obtained through a valid research methodology. This document is not intended to endorse any company or product and should not be attributed as such.