Fighting Medical Device Cyber-crime

Looking at news articles lately, it seems cyber-crimes are on the rise, with credit card and bank account information being stolen, hackers phishing for personal data, and ransomware holding people’s computer data hostage for a fee. While all of these are frustrating and sometimes financially devastating, few if any of them are life-threatening.

But attackers have started setting their sights on medical devices. Stolen medical data is big business, costing sometimes 4x as much as a social security number because of all of the data available (name, social security number, address, phone number, etc.) and since many medical devices have direct access to the more secure parts of hospital networks, they make good back-doors. With more and more devices featuring some kind of connectivity—Bluetooth, Wi-Fi, USB, Ethernet, or some derivation—the potential for hackers to get inside the machines that maintain confidential patient data, diagnose and treat disease, and even perform surgery is increasing.

There have already been reports of ransomware affecting medical devices and the pattern seems likely to continue. While the device affected in the case referenced was a radiology system, consider how much more severe the consequences might have been had the system been a laparoscopic robot in the middle of a procedure, an insulin pump on a diabetic patient, or a pacemaker. The thought is chilling. 

Organizations Combating Cyber-crime

Fortunately, several organizations have already produced good literature to help educate manufacturers and hospital administrators on ways to combat cyber-crime. In compliance with the 21st Century Cures Act, the Food and Drug Administration (FDA) quickly adopted Underwriters’ Laboratories (UL) 2900 standard as a consensus standard. The newly published UL 2900 series of standards provides additional requirements for cyber-security, including risk management, documentation, and validation, and the FDA now expects products submitted for clearance to be compliant. 

The FDA itself also publishes guidance to further help manufacturers protect against cyber-security threats

Finally, the Association for the Advancement of Medical Instrumentation (AAMI) offers advice both as a standard and for laypersons. 

Following FDA, AAMI, and UL guidance can make a product more robust to cyber-attacks, and by remaining vigilant, manufacturers can stay one step ahead of hackers.

What can device manufacturers do to combat cyber-crime? Here’s a brief list of recommendations compiled from the AAMI, FDA, and UL publications referenced above:

How to Combat Cyber-Crime During Development

Identify risks associated with cyber-crime based on:

  • The type of device,
  • The type of connectivity, and
  • What vulnerabilities exist inside third-party hardware and/or software used in the product.

 

Evaluate the likelihood of a risk being exploited and estimate how much harm can come to the patient or operator as a result.

Protect against harm by implementing mitigations to reduce the likelihood of exploitation or severity of harm if an exploit does occur. Here’s an abbreviated list of suggestions:

  • Limit access by using authentication, establishing user roles, avoiding hard-coded passwords, and/or using physical locks on device communication ports to avoid tampering.
  • Ensure that only authenticated code is loaded onto the device (e.g., using a code signature), establish a means for users to obtain updates from a trusted source, and use encryption where necessary to prevent data theft.
  • Implement security compromise detection and use the information to warn the user and develop countermeasures.
  • Architect the system to keep hackers away from core and safety-critical functionality (e.g., handle wireless communication separate processor from the one running the main application).
  • Design the software to make updates possible with minimal impact to the patient.
  • Include a means to get the device back to a safe state in the event a breach is detected.

Minimizing Cyber-Crime in Post-Market Surveillance

  • Feed the latest cyber-security news through the risk management process to identify new hazards as they arise & determine how to update fielded units quickly and safely.
  • Notify the FDA and other notified bodies when a vulnerability is detected and exploited to help raise awareness.
  • Implement fixes promptly and stress the importance of upgrades to users to minimize the number of affected devices.

Committed to Cyber-security

At Realtime, we take cyber-security seriously. We are constantly aware that it could be one of our own loved ones affected by medical cyber-crime. The risks associated with medical device design are staggering: the potential for harm to the patient or operator during normal operation, the added risks introduced when something goes wrong, and now the still further risk of a malicious cyber-attack on equipment by someone who is not in the same room or even in the same country as the device. Yet although our engineers and management have the technical expertise to develop for any industry—indeed, we come from many backgrounds including telecommunications, oil and gas, medical, aerospace, and consumer devices, to name a few—we choose to work in the medical device industry because of the potential for good, the knowledge that the products we help design can improve the quality of patients’ lives, reduce their suffering, and even save their lives. We therefore face challenges like cyber-security head-on, systematically and relentlessly making our designs safer through awareness of the types of risk, assessment of their impact, and mitigation to drive them out.

Realtime is Capable of Keeping Your Devices Safe

Realtime is well-versed in cyber-security, product design, risk management, test, and compliance. Our experts can help you design your product with cyber-security built in from the ground up, with good documentation explaining the design and justifying design choices, and with risks—cyber-security and otherwise—identified and addressed with validated mitigations. Contact The Realtime Group today at 972 985-9100 and let our knowledge and resolve help your company build a better medical device.