Why MD Cybersecurity is so important
by Danilo Maruccia,
Executive Consultant & Business Partner – PQE Group
Is Cybersecurity important for Medical Devices? The answer is absolutely yes. But let’s move a bit backwards, to understand the reason why nowadays Cybersecurity has become a main concern for all Medical Devices producers.
The hidden risks of a disruptive innovation.
It’s well renowned that latest technological innovations radically changed our lives at all levels, to the point to be considered “disruptive”: they changed the way we communicate, the way we access information, how we buy and use products and services, how we move and definitely live. In this context, the Medical field not only makes no exception, but it also has be considered among the most investing industries, with the development of ICT innovations that may revert the ‘status-quo’, such as new methods and technologies both capable to enhance the treatments and health care capabilities available today, and make possible to treatments for health conditions that due to many reasons weren’t treatable just a few years ago.
Anyways, this kind of game-changing innovations doesn’t come for free: along with innovation, a lot of new potential vulnerabilities putting at risk medical device’s functionalities and also patients’ health have stepped into the scene.
Connected Medical Devices: treating the most complex diseases with ICT and cloud potential.
Among the entire medical field, Medical Devices development plays a major role in innovation, with devices used to treat human diseases like diabetes, heart diseases, neurological diseases and many others, tracing new paths and exploring new horizons in human (and not only) health care.
According to E.U. definition, “medical device’ means any “instrument, apparatus, appliance, software, material or other article, whether used alone or in combination, including the software intended by its manufacturer to be used specifically for diagnostic and/or therapeutic purposes and necessary for its proper application, intended by the manufacturer to be used for human beings:
- diagnosis, prevention, monitoring, treatment or alleviation of disease,
- diagnosis, monitoring, treatment, alleviation of or compensation for an injury or handicap,
- investigation, replacement or modification of the anatomy or of a physiological process,
- control of conception,
and which does not achieve its principal intended action in or on the human body by pharmacological, immunological or metabolic means, but which may be assisted in its function by such means;”
One of the top innovations today consists in the “Connected Medical Devices”, which use the connectivity and infrastructure of the internet, plus the most advanced software and hardware technologies and the IoT computing power to improve their health care capabilities by analysing and understanding the patient’s needs and adapt monitoring, diagnosis and treatments in real time.
Let’s think about all the types three types of software related to Medical Devices: not only the software used to manage production of Medical Devices, but also the Software integrated into a Medical Device (“Software in a Medical Device”), and the software which is meant to be a Medical Device by itself (“Software as a Medical Device (SaMD)”: cfr. definition by International Medical Device Regulators Forum (IMDRF)) while used for medical purposes without being integrated in any other medical device.
Vulnerabilities with serious consequences on health and life.
Like every other connected devices we commonly use, there’s always the possibility for them to suffer cyber attacks and possible vulnerabilities to Unauthorized Access. Let’s think about the Medjack (I,II, and III) crisis, that demonstrated how network-connected hospital medical devices such as Heart Monitors, CT and MRI machines, and PAC systems may be attacked and their functionalities hijacked or compromised without notice trough a backdoor, using their vulnerabilities to spread the ‘infection’ through the entire local healthcare system.
Therefore, all Medical Devices producers should be aware that a vulnerability in their devices could be exploited and that it could have consequences that just a few years ago weren’t even imaginable, putting at stake the patients’ lives:
for example, an Insulin Pump, an MD that works maintaining the correct insulin levels in a patient with Type 2 Diabetes, could be wirelessly connected to a server which communicates to a smartphone application where he/she, or a physician, could keep track on insuline levels changes in his/her body.
That wireless connection could be exploited by a ransomware, to hijack both software and hardware control of the insulin pump for ransom. It’s clear that this kind of attacks may have a direct impact not only on the patient’s health condition, but could put at risk his/her life as well in case the insulin pump should suddenly stop or change its functioning: absolutely not an abstract scenario, as already in 2012 a renowned McAfee’s professional hacker declared  the possibility to hijack several Medtronic Heart monitors overriding their basic functionalities like the vibration alerts and other features.
Another vulnerable category consists in the Implantable Medical Devices (IMD), such as neurological stimulators, used to treat diseases like Parkinson via-deep brain stimulation: since they have more complex and powerful computational capabilities, and deep interaction with the patient’s brain, a vulnerability in their software could seriously undermine the patient’s health.
Authorities raising regulatory awareness and requirements on MD Cybersecurity.
It makes therefore sense to think that nowadays the Cybersecurity has to be considered a must for all connected medical devices: such intrusions and vulnerabilities may imply strong negative impacts such as diagnostic and/or therapeutics errors, impacts on clinical operations, and even a violation of C.I.A. Agreement, and even put at risk both patient’s data, health and life.
For this reason, the most important Regulatory Authorities such as FDA (Post Market Management of Cybersecurity in Medical Devices), and European Commission (MDR 2017/745 and IVDR 2017/746) have already updated their definitions and requirements to define a ‘Safe Medical Device’, not just by itself but also regarding its components and interactions with other devices and tools, to assure its safety on the short, medium and long term at all levels, including their cybersecurity.
Regulation (EU) 2017/745-746
IMDRF Definitions (Software as Medical Device)
Article about MedJack 3 Malware attacks by Data Privacy Security Insider
Article about Medtronic MD vulnerabilities by Bloomberg.com
“Security and privacy issues in implantable medical devices: A comprehensive survey.”(Camara, Peris-Lopez , Tapiador.) – Abstract.
Want to know more?
PQE Group developed a specific holistic Approach to verify and assure that our client’s have the highest level of cyber security, analysing and solving any possible vulnerabilities, preventing future observations and violations: If you want to know more about MD Cybersecurity, get more deepening knowledge about how most important Regulatory Authorities regulated this important topic, and how PQE Group can support MD companies minimizing the risk of vulnerabilities that may lead to heavy unexpected costs, download our FREE Medical Devices Cybersecurity Guide about major local regulations address Cybersecurity (FDA, EMA, Canada, and more).