The interconnectivity and interoperability of devices has the potential to foster rapid innovation at lower costs to healthcare facilities whilst offering improvements in efficiency and better patient outcome.
But if cybersecurity goes unchecked, the consequences can be very real. Failing to ensure medical device cybersecurity could lead to serious injury and significant reputational damage.
This past year, the Cybersecurity and Infrastructure Security Agency within the Department of Homeland Security released an advisory notice focusing on eleven vulnerabilities in legacy software used to power millions of medical devices such as MRI machines and patient monitors, aptly named URGENT/11. Subsequently, in December the FDA issued its own summary of events with supporting guidance for the industry.
It turns out that several vulnerabilities were classified as critical and enable remote code execution, which grants malicious persons the control over the device, ultimately allowing them to make changes remotely.
With the cyber extortion on the rise, it’s easy to envisage a scenario where a hacker threatens to remotely turn off automatic patient warning aids which alerts a caregivers’ attention, intentionally increases the volume of a drug released by an infusion pump to increase the biological effects to an intoxicating level or deny the caregivers’ access to a device mid surgery.
Yes, it may be the hospital that is extorted, but the device manufacturer or supplier isn’t free from liability in the event of injury or death.
As we all know, the FDA does not conduct premarket testing for medical products, this responsibility falls squarely on the medical product manufacturer. The FDA expects manufacturers to incorporate cybersecurity risk analysis into the device design and quality control process.
Success in this area requires an entire cluster of innovation and intervention. Unauthorised access to medical devices could result in death or severe injury, so manufacturers must ensure their technology is secure.
Early and widespread engagement with healthcare delivery organizations will allow manufacturers to better understand the challenges the healthcare industry faces. Alongside a better understanding of the challenges, troubleshooting network vulnerabilities is a necessity.
The weaknesses highlighted by the FDA in Urgent/11 demonstrate there are susceptibilities within software platforms that are both identifiable and resolvable.
Whilst the FDA is yet to issue premarket guidance on vulnerability scans, penetration testing and wireless security assessments, these steps should be incorporated into the design process. The medical device market should take note of the tech sector, where hackers are regularly hired to highlight vulnerabilities in their software in a continual process of improvements.
Once the foreseeable risks are largely understood the manufacturers can implement steps to prevent them. But for certain, analysis and assessment on a continuing basis will be essential to keep pace with the natural evolution of cybercrime and risks.
Post device commercialisation, manufacturers have an ongoing duty of care. Appropriate governance, monitoring and reporting mechanisms should be incorporated into postmarking surveillance programs.
One thing is clear; nobody wants to stifle innovation. Therefore, the long-term solution to development, interconnectivity, and interoperability of medical devices requires both a long-term and holistic view of prevention, to ensure the best in the class practices needed for patient safety.
Sean Burke is Life Science Team Leader at CFC Underwriting