According to a recent world preview report (2015) by EvaluateMedTech, the total value of the global medical devices market with sales in 2014 is at $375.2bn and it is expected to reach $477.5bn by 2020, growing at an annual rate of 4.1% over the next five years till 2020.
Along with all of the benefits does come a certain amount of risk – that manufacturers, regulators and healthcare facilities need to mitigate in order to ensure these devices are safe to use, the networks they are retrieved on are secure and the devices themselves can be mended against future security threats.
Some of the current med devices are too much sophisticated, for example actual defibrillators use software, which learns about individual heart rate characteristic over time. They react intelligently whenever they detect heart abnormality; they administer shocks from coils implanted in the heart autonomously.
Data needs to be downloaded; software, improvements and refinements need to be updated, whenever we visit a healthcare office. This leads to potential security risk. It is possible for hackers to target individuals and disable their device endangering their life or launch a widespread attack across a particular kind of device, or steal data. The dangers associated with healthcare mobility solutions and network vulnerability, led FDA to impose new rules in 2013. Since then, it has been steadily introducing new updates and imposing sanctions on firms found to be non-compliant.
Below is a study published by Deloitte, which shows the challenges faced by the Medical Device Industry.
Experts suggest following are the top reasons why hospital networks are vulnerable:
1) Hospital networks are using legacy systems such as Windows XP, which are not robust enough. This had earlier contributed to the WannaCry ransomware outbreak that infected medical devices, disabling radiology equipment made by Bayer.
2) We desire to make use of the information we get from medical devices, in other systems. Their dependence on wireless net connectivity and overall connection of the devices to the Internet makes them more vulnerable to cybersecurity dangers. Attacks that propagate through the network and exploit vulnerabilities in computers and devices attached to it are usually aimed at the following three targets: web servers, databases, and application software.
3) The demand for interoperability and seamless integration between systems, networks, and devices increases the risk for cybersecurity breaches. Compromised medical devices can be used to attack other parts of the network.
4) There is lack of awareness of the cybersecurity issues and security practices which leads to mixed cybersecurity programs in device development and certification. The poor practices include lack of secure disposal of devices containing information or data, password sharing, and distribution of passwords particularly in devices where passwords are required for device access. If there is no proper training provided on cybersecurity risks, it leads to continued cybersecurity vulnerabilities.
5) There is lack of timely software updates and patches.
6) The other ways to exploit the medical devices can be direct attack, social engineering, malware, or a combination of any of these.
Medical industry has now come up with a new way to address the vulnerability found in medical devices connected to the network. They try to facilitate a co-operation between the white hat researchers and themselves, to understand the loopholes in the system and come up with solutions.
The Def Con is one such annual hackers’ conference, where hackers see breaking into medical devices as their most important work. In turn they are made to sign agreements, promising not to disclose the flaws they found and instead inform the vendors as soon as possible.
According to MEDJACK2 report, there are a number of ways hospital networks and medical device vendors can combat cyber attacks.
“Isolate your medical devices inside a secure network zone and protect this zone with an internal firewall that will only allow access to specific services and IP addresses.”
“Implement a strategy to review and correct existing medical devices now.”
“Implement a strategy to rapidly integrate and deploy software and hardware manufacturers, health care providers, and patients.
“Implement a strategy to procure medical devices from any vendor only after a review with the manufacturer that focuses on the cyber security processes and protections.”
“Implement a strategy for medical device end-of-life.”
“Implement a strategy to update your existing medical device vendor contracts for support, maintenance and Implement a strategy to procure malware attack.”
“Manage access to medical devices, especially through USB ports.”
“Evaluate medical device vendors that utilize techniques such as digitally signed software and encrypt all internal data with passwords that can be later modified and reset.”
“Improve your own capacity, that after device selection, your information security teams can test and evaluate vendors independent of the acquiring department.”
“Utilize a technology which can detect malware and persistent attack vectors that have already bypassed your primary defenses.”
The manufacturers, health care providers, and patients now share the responsibility to maintain device functionality, information availability, integrity and confidentiality of data, patient privacy etc.
The challenge is to obtain a balance between security and privacy goals, health care utility and safety. For example, greater use of strong encryption and access control measures increase security, but puts the patient at higher risk in the case of an emergency. Encryption can also slow down medical devices, and reduce battery life. Every aspect has to be weighed and decisions must be taken in accordance.
Patel Nasrullah is a co-founder of mobile app development agency, Peerbits. He devotes his time in inspiring young leaders to take the leap of faith. With the experience of 10 years in Web and App development, he now gives full attention to the enterprise by offering mobility solutions about the strategic planning and execution.