Comment: Clinical functionality vs cyber security of medical devices

Rusty Carter of Arxan Technologies looks at how to balance cyber security with the emergence of vital new medical technologies

While medical devices need to be the best in terms of clinical functionality; without up-to-date security, thousands of patients’ lives will be at risk. While it is important to highlight that safety-related vulnerabilities should always be fixed; how far do we go beyond that? Rusty Carter, vice president of product management at Arxan Technologies, explores the issue

It is too easy for anyone to walk into a hospital and connect their mobile devices to WIFI, after which they could try to attack both personal and medical devices

It’s no secret that the clinical capabilities of medical devices save lives. However, with the increase in the utilisation of connected medical devices; preventing harm or loss of life also greatly depends on the security of such devices.

Take pacemakers for example. Despite them having adequate clinical functionality; at the end of August this year Abbott Laboratories warned that 465,000 patients with St Jude Medical pacemakers were at risk of potentially-fatal hacks.

While medical devices need to perform in terms of clinical functionality; without up-to-date security, thousands of patients’ lives will be at risk.

Attack methods

Rusty Carter

Reverse engineering and ransomware are common methods used to attack medical devices and much of this happens either through applications or the networks these devices are connected to.

Clinical organisations, such as the NHS, which are focused on clinical functionality are incredibly vulnerable to these types of attacks. WannaCry, the huge cyberattack in which thousands of medical devices were compromised, being a prominent example.

The state of security

The security of clinical organisations certainly needs addressing.

Many clinicians who are required to work with computers on the office network, are doing things like checking their personal email and social media, which is opening up opportunities for malware and other threats to enter the network. Furthermore, it is too easy for anyone to walk into the hospital and connect their mobile devices to WIFI, after which they could try to attack both personal and medical devices.

Ransom attacks appear to be particularly effective because lives and health are being held hostage – rather than the usual financial or personal data

Clinical organisations are primarily focused on patient care, so the sheer number of devices being added all the time without strong security protocols increases vulnerability and risk to patient safety and privacy.

The industry is traditionally focused on adopting those technologies that can make for faster, easier care that minimises the immediate impact to patient safety and health, with application and network security being a late addition.

The role of the manufacturer

It is important that medical device manufacturers – and they are beginning to realise this – are aware that their targeted user is not the only person that is able to access their device.

These devices can be, and are being, reverse engineered and attacked worldwide.

To ensure patient care and safety, security really must be part of the device and system by design.

Manufacturers need to incorporate application and data security by design into their R&D processes, and it is essential that devices be tested not just for clinical safety, but for application and data security before they are distributed for patient/clinical use.

Both the security and healthcare industries can facilitate this by introducing stricter guidelines on which devices are allowed in a clinical environment.

Two important questions that should be asked are:

  • What safeguards are being taken to protect devices?

  • and how closely are medical devices monitored? In other words, how quickly will a compromise be detected?

Recently there has been a lot of talk of ransomware and other cyber attacks in the healthcare industry.

Many other industries are ramping up their security, so it is likely the black hats are looking for the easiest target.

Ransom attacks appear to be particularly effective because lives and health are being held hostage – rather than the usual financial or personal data.

Many medical devices, such as pacemakers, are connected to a mobile application which configures the device.

Hackers can reverse engineer and masquerade as a legitimate application and then access and manipulate the medical device through the app, therefore, it is essential both the applications and devices are secure.

Additionally, there needs to be secure communication and mutual authentication between the app and the medical device, and this is something the device manufacturers must be conscious of from the design stage.

The cyber security of medical devices must either remain or become a top priority for manufacturers, as well as the wider healthcare industry

While the clinical functionality of devices is of high importance, without the correct security measures in place, patients’ lives will still be at risk.

The cyber security of medical devices must either remain or become a top priority for manufacturers, as well as the wider healthcare industry.

Companies