Something that was unheard a few years back is now becoming a hot topic among all the medical device manufacturers – Cybersecurity. It relates to growing concern of connected medical devices susceptible to being hacked by unauthorized people that can risk the device user’s life. Which devices are at risk and why would somebody hack a medical device? To give a simple answer, all the connected medical devices such as wireless infusion pumps, Connected Insulin pumps, pacemakers, neuro-stimulators, defibrillators, CT Scans, digital medical records, blood storage equipment and many more categories of devices are sensitive to hacking. But why hacking? Again the simple answer is anything that can be hacked will be hacked for one of more reasons. It can be stealing of data, information, causing harm or injury to a patient or some other malicious intent or just for fun!
To make the matters worse, this is one area that was completely ignored by many device manufacturers till very recent times. You should not be surprised to know that many of these devices used to come with hard-coded admin passwords such as ”admin” or “password” or “1234”. This made it very easy for somebody to gain access to these devices and change the settings. After all, in this age of IoT, a medical device is just another IP address and you can gain access into that very easily. The aftereffects can be many. Somebody can gain access to an wireless infusion pump to change the dosage (Imagine the impact when a chemotherapy is going on), others can gain access to a BT-connected defibrillator to give random and life-threatening electric shocks to patient, some other can access the web interface of a blood storage unit to change the temperature settings to make all the blood samples unusable and somebody can gain access to an IMD (Implantable Medical Device) to perform specific tasks that can drain the battery very fast and the list goes on…Needless to say that we are talking about a very very real risk that has the potential to play with anybody’s life.
FDA has recognized this growing threat in medical devices domain and issued a new set of guidelines last year to include the management of cybersecurity in medical devices in the design process itself. The basic philosophy is that each medical device should be assessed on its intended use, connectivity requirements and the level of threat it poses. Sufficient security layers then accordingly need to be built and then all the breaches should be logged and proper actions should be taken. FDA recommended cycle for cybersecurity implementation in medical devices is – Identify, Protect, Detect, Respond and Recover. The process in a bit detail is as given below –
- Identify the potential risks, security requirements and threat levels. Keep it at the optimum level. Do not miss anything and also do not overdo it. (After all connectivity has its own benefits also!).
- Protect the devices by limiting the access to the device through layered authentication systems, limiting session timings, controlling the software upgrade methods and providing physical locks on the devices and on their ports.
- Detect any security breaches on the devices by maintaining proper logs with time stamping.
- Respond to any security threats in a timely manner by providing a locking mechanism to the core functionality of the device even when the cybersecurity layer of the device is breached.
- Recover the device by providing appropriate methods of recovery and retention to authorized users. The end users also should be trained on how to respond in such a situation to restore the functionality of the device as soon as possible.
There is one big catch, however. All this can be done for a new device design. What about the devices that are already in field? Obviously many of these devices cannot be recalled or upgraded (At least till now, there have not been instances of medical devices recall because of security concerns. However, the situation might change anytime). Also putting a software patch is not that easy, especially when you are talking about an IMD. Not only IMDs, in fact, many of the devices that are already installed in hospital environments are also are at great risk. Although some actions can be taken to improve the security of these devices, there are many instances where we are just at the mercy of some attackers of hackers.
It’s high time that all of the stakeholders in the healthcare delivery chain – patients, device manufacturers, caregivers, hospitals, clinics and people who attend the patients become aware of these concerns and then prepare accordingly! Everybody has a role to play here and hopefully they will do their bit.
