Healthcare's Achilles' Heel: Cyber Security
Software is becoming an ever larger part of healthcare, bringing with it benefits but also - inevitably - risks. Discover the most common reasons for medical device susceptibility to cyber attacks and how working with Critical Software can change your cyber security fortunes.
It is becoming increasingly common to hear about medical devices being connected to the internet, hospital networks and even other medical devices. The goal is, of course, to improve healthcare and help healthcare providers treat patients.
However, this wave of new tech can also raise significant concerns, specifically cyber security threats. Just like any other computer system, these medical devices are vulnerable to being meddled with by hackers.
From insulin pumps to cardiac implants like pacemakers, from imaging and diagnostic devices to data management systems – all have been either the direct target of cyber security attacks or have presented serious vulnerabilities to such attacks.
The consequences of these attacks aren’t, or at least shouldn’t be, surprising: device malfunction is the main concern, closely followed by personal data breaches and the inability to access data from devices. The question is, why are medical devices so vulnerable?
While improving medical devices to keep up with the latest tech trends tends to be a good thing, it can simultaneously pose a threat if these improvements are implemented without the proper precautions.
Interconnectivity is a positive of more modern medical devices, but it comes with potentially severe risks that need to be accounted for... The more interconnected devices are, the more prone they are to cyber attacks because they’re increasingly connected to the internet. One can safely say that it’s a close race between medical device manufacturers and hackers, as both try to stay ahead at both ends of the spectrum – safety versus threat.
Updating is a challenge
Medical devices are systems like any other, which is to say that they will need updating to correct software flaws and to ensure that they’re fully compliant. However, performing these updates isn’t as easy as it sounds. Applying correction can take longer than desirable and once these fixes are applied, new threats may have arisen. Moreover, many hospitals still run legacy operating systems that make updating medical devices even more complicated because the operating systems being used are no longer supported.
Adding to the challenge of keeping medical devices updated, there’s also the problem caused by devices that simply don’t receive updates anymore. Both situations work as an entry point for hackers when meddling with systems and putting patients in harm’s way – whether this involves functional changes that could be applied to the device apply, or unauthorised access to personal information.
Refitting of Medical Devices
To keep up with market trends and consumer demands, manufacturers have refitted some of their devices to become networked. By doing so, real-time data collected by those devices can be shared with relevant systems to facilitate process automation. Vendors could leverage this data by managing it remotely. Although it has brought some benefits, these devices are more likely to have vulnerabilities as these devices haven’t been created from scratch with interconnectivity in mind.
Lack of consensus
There is a dire need within the medical devices industry for entities to be on the same page when it comes to establishing rules on cyber security standards. With regulations and guidelines in place, from the FDA and European Commission, there will be extra pressure on manufacturers and authorities to make cyber security a priority. But regulation is important, not only for healthcare providers, but also for patients since it offers a sense of trust and safety which doesn’t otherwise exist.
Lack of awareness
The lack of regulation and market pressure in terms of medical device cyber security may have kept manufactures in the dark when it comes to awareness. However, as cyber attacks continue to multiply and companies start to understand how serious the consequences are of not adopting a proactive approach, we hope to see a change of behaviour.
Manufacturers should prioritise cyber security when developing products, using a holistic approach which encompasses everything from company policies to internal development processes and right up to the system design itself, as well as from the corporate level to the product.
What can we do about this?
Solving cyber security threats on medical devices isn’t as straightforward as one might think. Stopping the threat altogether is extremely hard to achieve, but we can still do something to prevent and minimise the risks. It involves effort from many parties and communication is an important aspect to ensure that teamwork is in place.
Our new white paper details the process of building cyber security from manufacturer to end user, covering the reasons why medical devices are vulnerable and what needs to be done to correct this.