Cybercrime and medical devices: a growing threat for patients

Cybercrime is an increasingly worrying matter for healthcare organisations. As healthcare is quickly embracing the digital transformation, more and more processes and communications are being digitised. A clear example of healthcare’s vulnerability to cybercrime was WannaCry’s attack to the NHS in May last year, which disrupted operations at approximately one-third of hospitals trusts and around eight percent of GP practices. The NHS recognised that the attack had an estimated cost of £92m.

Struggling to implement security in this real-time digital transformation

The amount of digital tools used by patients is also growing in number and sophistication. This transformation means a better management of some conditions and a bigger quality of life for a great number of patients -think of continuous glucose monitoring systems, insulin bombs and digital pacemakers. However, the digitisation of patient care involves security threats that need to be addressed.

“The challenge is that most healthcare organisations have gone through a digital transformation from a connectivity perspective but the industry is still struggling to supplement it with real-time, dynamic management and security capabilities,” said Dave Engel, Vice President of Worldwide Sales at ZingBox -a IoT service protection company-, in an email interview.

At the last Black Hat information security conference held in Las Vegas in August, two security researchers remotely disabled an implantable insulin pump and took control of a pacemaker system, showing how easily medical devices (these two were from a well-known manufacturer) can be taken down.

A recent report from Zingbox found that imaging systems and patient monitors were the most affected device categories in a healthcare environment. “This is also due to the fact that such devices have a long operating life; endpoint security is often missing, are not frequently patched, and are managed differently compared to their IT counterparts. Many of these risks could be reduced by following the basic cyber-hygiene. The challenge is that today’s IT tools and processes don’t work for clinical infrastructure,” said Engel.

Cybersecurity guidance from official agencies

A few days ago, the FDA released a draft of its updated premarket guidance for medical device cybersecurity, adding new recommendations for internet-connected products. The FDA states that the need for effective cybersecurity to ensure medical device safety has become more important with the use of wireless, internet connected devices.

The guidance, which was last updated in 2014, provides recommendations on how manufacturers should assess cybersecurity when developing medical devices. One major update is the fact that manufacturers should provide its customers with a list of software and hardware components in a device that could be prone to vulnerabilities.

ENISA is the highest European authority for network and information security.
ENISA is the highest European authority for network and information security.

The European Union Agency for Network and Information Security (ENISA) released a report two years ago to “improve information security and resilience of hospitals to prevent disruptions to smart components that can cause greater impact to patients’ safety”.

The report offers recommendations for the public sector, hospitals and manufacturers. While hospitals and public systems should “invest correctly and cost effectively in protecting smarts assets”, manufacturers of information systems and devices used in smart hospitals have to take certain measures too. Among them are, for instance, building security into products from the outset, adopting secure coding practices and extensive testing.

The use of medical devices by patients is quickly growing and in the next decade, a vast majority of patients with diabetes and other conditions will rely on the safety and security of these devices. Industry and public healthcare systems should work collaboratively to minimise the risks of cyber-attacks. It is a matter of shared responsibility between all healthcare stakeholders.

This article has been published in HIMSS Europe blog as part of a series of articles on digital health. My next piece will dig into how artificial intelligence is starting to impact the healthcare business.