Nowadays evolution of smart devices leads to exponential growth in different types of medical devices connected to them. Due to this fact such medical devices are no longer used as isolated equipment, but as fully networked equipment with bi-directional communications, remote access, wireless connectivity and control applications/software on mobile phones, tablet computers and wearable devices. Such evolution and generally new real time network capabilities made medical devices cheaper, easier to use, manage and maintain. But improvements of usability inevitably lead to various cyber risks.
Smart meters, wearable devices and even some smart toys not only collect much our biology information including heart rate and blood pressure but also monitor and record our surrounding information and daily activities like the change of indoor temperature and the places you have been. Major security risk with medical devices is that they can potentially expose both data and control of the device itself.
Medical device security has become the primary healthcare security concern following a number of high profile incidents. Justifiably, given a device infected with malware has the potential to shut down hospital operations, expose sensitive patient information, compromise other connected devices and harm patients. Technology convergence is creating new attack pathways and cybersecurity risks with the implementation of new technology, yet older medical devices continue to be utilized, which are often not secure and are poorly managed. New approaches to dealing with increasing cybersecurity threats have recommended all parties collaborate to identify and assess cyber risks and threats, plan mitigations and appropriate incident response to ensure patient safety and security.
Almost every discussion of cyber security relates back to the confidentiality, integrity and availability (CIA) triad:
· Confidentiality prevents sensitive data from being seen or accessed by the wrong people whilst ensuring that those that have legitimate need to access the data can do so
· Integrity means ensuring that data remains accurate and consistent for its life cycle
· Availability refers to the importance of keeping computer systems online and accessible when required by the business
Most medical device cyber risk issues will fall into one of these categories, which make for easier understanding of why a particular technical control or process has been implemented.
Medical devices will often contain complex electronics (often electromechanical) with supporting software or firmware. The latter is often used to control specific features of a device and will often be loaded directly onto a chipset. Historically firmware was rarely updatable, but manufacturers are aware now that updateable firmware makes a device easier to support and update against cyber related threats.
There are a large number of potential risks to medical devices, but examples that are more common include:
· Flawed or defective software and firmware
· Incorrectly configured network services
· Security and privacy issues such as the use of poor passwords or excessive permissions where a basic user can access administration features
· Poor data protection• Improper disposal or loss of the device with on-board memory still containing patient data
· Malware and spyware targeting medical devices
Medical device companies and healthcare organizations face an array of cyber threats including untargeted and increasingly sophisticated targeted attacks. Threats include:
· Disruption of care/service (including potential for patient deaths)
· Deception of staff with spoof email or fake websites to obtain login credentials or install malware
· Unintentional or intentional ‘Insider threat’, which can pose a significant threat due to the position of trust within an organization
· Less of patient information – especially electronic protected health information
· Data breach, information exfiltration and loss of assets
· Blackmail, extortion and duress through exploitation of exfiltrated sensitive data
Regulators and legislators are acting as fast as they can to ensure that data protection laws and device testing standards reflect this new risk, but inevitably they fall behind the hackers in a fast-moving race. As devices contain ever more complex software and developers rush to get new features completed the need to write secure code often comes a poor second, potentially exposing devices to attacks that can be conducted locally or even from outside a clinical setting.
The good news is that with the assistance of experts in cyber security and product testing device manufacturers can get ahead of the curve and build vibrant, secure, international businesses that embrace modern, Internet-based technologies. As you can see, connected health cybersecurity has various problems that you can try to solve in your project!