Medical Device Cybersecurity - Part 1

Safely Test and Deploy Connected Products

16 July 2019

The medical industry is a high profile and high value target for cyber criminals.  The cost of cyber-crime in the health industry is on the rise and medical records are fetching a high price on the dark web, as much as a thousand dollars per record.  Connected medical devices offer new and increasingly impactful ways of improving patient care but they also introduce new risks to the medical environment.  Careful design and security testing can help mitigate these risks.

Medical Device Threats

The Internet of Things (IoT) presents many threats and when it comes to the Internet of medical things, the stakes are even higher.  Stolen medical records are not the only risk of connected medical devices.  Malware on a compromised platform can render critical equipment inoperable or even hold the equipment for ransom.  Devices could even be used as a platform, a launching pad, for further attacks.  For example, hacked medical devices connected to a hospital network could be used to launch attacks on other systems in the healthcare environment or could simply be directed outwards as drones in a botnet comprised of millions of remotely controlled endpoints.  Even if the intent is not so sinister, unauthorized code running on a medical device could render it unstable or consume critical computing resources, resources required to accurately and safely perform the devices intended function.

It is for these reasons that regulatory bodies such as the FDA are issuing guidance for cybersecurity in medical devices.  There are also standards, such as UL2900-2-1, which are specifically created to ensure that medical devices are designed to protect against existing threats and to allow the devices to be securely updated to address tomorrow's threats.   These standards and guidance emphasize security by design and are based on a risk management approach.

Regulatory Concerns from the FDA, Healthy Canada and EU

Due to an evolving landscape and more insight into medical device threats the FDA recommends premarket submissions for devices with cybersecurity risks. Tackling the cybersecurity mitigation measures upfront can help manufacturers detect, design and develop around flaws ahead of submission into the marketplace. Canada's government has a similar process to the FDA's, in addition to recommending guidance documentation for medical device manufacturers.  The EU and other global healthy systems are beginning to set similar standards in place to help secure products being used in medical facilities across the globe.   It is important to be aware of the requirements and to partner with a trusted third party to ensure compliance.  Learn more by reviewing our complimentary on demand webinar.

Join us for part 2 of this discussion, where we will look at best practices for testing.

 

Wayne Steward,
IoT Director, Intertek-EWA Canada

During his 15 years with EWA Canada, Wayne has become an expert in many areas of the cyber security domain, including intrusion detection, cryptography, vulnerability assessment, penetration testing, static code analysis, payment technologies, and product reviews.  Wayne now manages a team of over ten security specialists and penetration testers focused on securing network infrastructure, mobile and web applications, and connected products.