Steeve Huin and Lucas Catranis, Irdeto02.27.23
The technical revolution of the past 20 years is finally starting to shake the medical device industry and the greater healthcare ecosystem. Taking a wider view to the key drivers of innovation reveals that it has generally been wars and plagues, yet this latest period of transformation has been largely driven by the ongoing maturation of information technology, coupled with its digitalization and pervasive spread into other industries that move much slower than the internet.
The vicious cycle of device cybersecurity also means that the new connected medical devices of today will inevitably be the legacy devices of tomorrow. As more medical devices come online, the transfer of sensitive data becomes seamless, requiring cybersecurity to be at the forefront of the device makers consideration in order to maintain the safety and speed up processes for patients. The downside, however, is that hostility and cyber threats are scaling with the complexity of the defensive capabilities.
Our article explores the current standing of cybersecurity in healthcare and discusses how the latest developments will positively enforce the implementation of secure medical devices for years to come.
The COVID-19 pandemic, as we all know, threw the world a curve ball and put immense pressure on Health Delivery Organizations (HDOs) worldwide. Between essential workers being swamped with patients fighting corona and threat actors planting ransomware into hospitals, the pandemic proved to be a particularly challenging time for the healthcare industry.
It’s not all gloom though, the emergence of capable and connected devices has allowed for the embrace of virtual health, extending the reach of technology to those in need, particularly throughout a global pandemic. The continued need for improved health systems and their performances, coupled with shortages in physicians has led to a shift toward a connected and digitalized medical system where patient information can be transferred between organizations for a smoother and more coherent delivery of care.
With a growing demand for the centralization of managed data and end-to-end journeys, the capability and security of medical devices needs to be a global harmonized effort. This would ensure that the future of device security is taken care of in a manner that limits legacy machines and gives rise to continual and seamless patching of firmware for years to come.
Given these challenges in the healthcare industry, Medical Device Manufacturers (MDMs) are producing new and more capable medical devices to better address the growing needs of patients. Governments and their representative regulatory bodies have also been introducing stricter regulations to determine the creation and management of said medical devices, helping to ensure they stay relevant for as long as possible.
Amidst the struggles of keeping ransomware at bay, the industry has been using medical software and connected devices to control medical equipment, as well as taking notes of patient readings, all online. When affected by ransomware, or the loss of data, HDOs globally battle to recover and as a result, there are many incidents where patient care is affected.
Despite the fact that the current state of the industry is overrun with IT related issues and cybercriminals, MDMs have been working on bringing new and more capable devices to the industry that are able to capture and transmit information throughout the Internet of Medical Things (IoMT).
The interconnectivity and uptake of these medical devices will propel healthcare further into the future by improving the quality of patient care. It is predicted that the market for medical devices is set to reach $181 billion by 2030 which will mean that these medical devices can be updated and patched at more regular intervals to secure the transfer of these sensitive data.
In an industry alert published by the Federal Bureau of Investigation (FBI), medical device hardware remains active for 10-30 years and about 40% of devices at their end-of-life stage offer no potential for updates or security patches. With on average 6.2 vulnerabilities per device, there is a clear and warranted need for change.
The projected budget for cybersecurity in healthcare is also trending in the right direction, where it should hit $27 billion by 2025 and almost double again to $58.4 billion by 2030. So far as the security of new medical devices is concerned, the manufacturing and aftercare process is being adjusted in both the US and EU markets to accommodate for better security and longevity.
The introduction of new medical devices will also mean that the future of HDOs will be secured from unfixable vulnerabilities that are currently present on legacy devices. To utilize this staggering budget effectively, understanding the state of ransomware and the severity of threats to medical devices will allow MDMs and cybersecurity experts to adapt the protection process accordingly.
It is, however, a constant and vicious cycle, where criminals upgrade their attack methods to combat the rising defenses. The state-of-the-art devices of today will inevitably be the legacy devices of tomorrow, thus making communication and adaptation vital for the survival of current and future patients.
With the industry having such a wider area of vulnerability, HDOs have become the primary target for the bulk of cybersecurity threats. In another report, over the course of 2020, the healthcare industry paid about $20.8 billion in downtime, which was about double the number from 2019. Moreso, when looking at the number of patient records that had been affected during 2020, there had been an increase by 470% since 2019, with $2.1 million being paid in ransom for patient data.
Image 1: Affected medical devices
The good news however is that HDOs who were affected by ransomware in 2022 are becoming more resilient and in 99% of cases, have been able to recover the data and restore their operability. The most common method of restoration is backups, though only 73% of them are encrypted, whereas other HDOs have admitted to using multiple ways of restoration to achieve cyber resilience.
The data suggests that HDOs are doing the best they can with restoration after ransomware attacks, though they are in dire need of more effective cybersecurity solutions on both the defensive and recovery aspects. Since MDMs control the design of the device, the adoption of a security management plan will attend to the security risks throughout the lifecycle of the device, ensuring the device attack surface is limited and improving the overall security posture of the HDO.
By looking at the effectiveness of just this selection of threats, it’s apparent that bringing cybersecurity to the forefront of medical device design and implementation is the right move to ensure adequate protection against threat actors for the foreseeable future.
Cybersecurity, particularly for medical devices, is challenging and as such should be approached with a joint effort by all stakeholders involved from the design team at the device maker to the technician operating an MDI machine. Training and communicating the evolving best practices help to raise awareness and benefit the development of stronger security measures. There is little that can be done if only the CISO has security in mind and the initial system architect (MDM), or frontline operator (HDO) don’t follow.
A report conducted in 2019 revealed that 56% of respondents couldn’t fully understand the risks that are associated with unmanned IoT devices, confirming that there is also an overwhelming lack of awareness of where the issue resides and whose responsibility it is to address it.
Since the lack of awareness is so high, those in charge may not fully grasp the ramifications of unprotected devices, nor possess the ability to adequately navigate the evolving nature of the cybers landscape. As many as 41% of the correspondents from the same report shared that they didn’t receive enough budget to invest in the necessary protective solutions.
The FDA’s 2022 premarket guidance draft stipulates that all MDMs should be designing their devices with cybersecurity at top-of-mind and that any devices that are new, be subjected to rigorous testing and meet the minimum requirements for the given market.
Before we look at the regulations there are a number of other methods that are worth noting:
Image 2: Preparing medical devices
Employing these methods would help in the interim whilst the newer medical devices meet the new cybersecurity guidelines for a more secure future.
For the European region, MDR 2017/745 and IVDR 2017/746 cover the majority of newly designed medical devices, aiming to ensure that all medical devices released are fit for the new cybersecurity challenges and can be patched in the years to come. The documents detail new essential safety requirements for all medical devices with programmable systems, as well as Software as a Medical Device.
There are a couple extra legislative acts that apply in parallel to MDR, which include both the NIS2 Directive and GDPR legislative acts. These are relevant to both the cybersecurity of medical devices, as well as the operators dealing with the protection and storage of personal patient data. Furthermore, the EU Cybersecurity Act introduces a cybersecurity certification framework intended to strengthen the protection for IT processes, products and services.
At a global level, the International Medical Device Regulators Forum (IMDRF) published a document called ‘Principles and Practices for Medical Device Cybersecurity’. Additionally, the Medical Device Coordination Group (MDCG) also released a guidance document on cybersecurity for medical devices, called ‘MDCG 2019-16 Guidance on Cybersecurity for Medical Devices’. While the MDCG document does contain references to the IMDRF document, both describe basic principles for ensuring cybersecurity throughout the lifecycle of the medical devices.
The European Association for Medical Devices of Notified Bodies (Team NB) released a position paper in late 2022 with the intension of helping the cybersecurity conformity assessments to become as efficient as possible whilst maintaining the quality. The position paper outlines the harmonization of regulatory requirements, bringing coherency and consistency to the competitiveness of cybersecurity within the European and international markets.
Image 3:Team NB recommendations
In addition, there is also a lot of current confusion and overlap between a number of the main regulations for both the US and EU markets. In particular, the IT network characteristics and IT security measures for both the pre- and post-markets.
The globalized harmonization of these regulations at least makes conformity easier, but also helps to bring the effective cybersecurity defense to a similar level across both the EU and the US.
Image 4: Global harmonized regulations
When the practices are standardized, the cybersecurity industry can work to build a more secure future across a unified front, ensuring that medical devices worldwide and secure and that everyone contributes to patient safety.
Steeve Huin is COO of Connected Health at Irdeto. He is a seasoned cybersecurity executive with nearly 20 years of experience in building products, driving engagement and revenue within the cybersecurity domain. Huin has wealth of market knowledge and experience in the video entertainment, mobile gaming and connected industries such as healthcare and transport.
Huin holds a Master’s degree in Software Engineering and is well-versed in the international business landscape, having held key strategic positions in the Netherlands, Canada and China throughout his career. Prior to his current leadership role at Irdeto, Huin was Co-Chief Executive Officer at International Datacasting Corporation (IDC), a technology provider to the world’s premiere broadcasters in Canada.
Lucas Catranis is the Director of Connected Health Solutions at Irdeto. His responsibilities include overall product management of Irdeto’s connected health portfolio as well strategic relationship management. Catranis joined Irdeto in 2013 as a Sr. Engineer tasked with building Irdeto’s Service Operations Capabilities and then moved into a product management role in the Cybersecurity services team in 2015. In 2018, Catranis took on the role of the Chief of Staff to the Irdeto senior leadership team, where he worked cross-functionally to assist the various business leaders with the development of Irdeto’s long term strategy and business plans.
The vicious cycle of device cybersecurity also means that the new connected medical devices of today will inevitably be the legacy devices of tomorrow. As more medical devices come online, the transfer of sensitive data becomes seamless, requiring cybersecurity to be at the forefront of the device makers consideration in order to maintain the safety and speed up processes for patients. The downside, however, is that hostility and cyber threats are scaling with the complexity of the defensive capabilities.
Our article explores the current standing of cybersecurity in healthcare and discusses how the latest developments will positively enforce the implementation of secure medical devices for years to come.
Is the Healthcare Industry Growing in the Right Direction?
The development of technology has allowed for healthcare tests, scans and consultations to be taken online. The advancements have also stretched over into the medical devices themselves, allowing for interconnectivity and the sharing of sensitive information between devices and servers. Moving away from static offline devices and paper notetaking, to having the full system and communication done online, the healthcare industry as a whole seems to be tracking in the right direction.The COVID-19 pandemic, as we all know, threw the world a curve ball and put immense pressure on Health Delivery Organizations (HDOs) worldwide. Between essential workers being swamped with patients fighting corona and threat actors planting ransomware into hospitals, the pandemic proved to be a particularly challenging time for the healthcare industry.
It’s not all gloom though, the emergence of capable and connected devices has allowed for the embrace of virtual health, extending the reach of technology to those in need, particularly throughout a global pandemic. The continued need for improved health systems and their performances, coupled with shortages in physicians has led to a shift toward a connected and digitalized medical system where patient information can be transferred between organizations for a smoother and more coherent delivery of care.
With a growing demand for the centralization of managed data and end-to-end journeys, the capability and security of medical devices needs to be a global harmonized effort. This would ensure that the future of device security is taken care of in a manner that limits legacy machines and gives rise to continual and seamless patching of firmware for years to come.
Given these challenges in the healthcare industry, Medical Device Manufacturers (MDMs) are producing new and more capable medical devices to better address the growing needs of patients. Governments and their representative regulatory bodies have also been introducing stricter regulations to determine the creation and management of said medical devices, helping to ensure they stay relevant for as long as possible.
Will the Healthcare Industry Be Prepared for the Future?
Right now, the healthcare industry is recovering. The ramifications of the pandemic have left HDOs in a troublesome state. In the first 6 months of 2022, there were a reported 337 healthcare data breaches where 80% of them were related to hacker or IT related incidents.Amidst the struggles of keeping ransomware at bay, the industry has been using medical software and connected devices to control medical equipment, as well as taking notes of patient readings, all online. When affected by ransomware, or the loss of data, HDOs globally battle to recover and as a result, there are many incidents where patient care is affected.
Despite the fact that the current state of the industry is overrun with IT related issues and cybercriminals, MDMs have been working on bringing new and more capable devices to the industry that are able to capture and transmit information throughout the Internet of Medical Things (IoMT).
The interconnectivity and uptake of these medical devices will propel healthcare further into the future by improving the quality of patient care. It is predicted that the market for medical devices is set to reach $181 billion by 2030 which will mean that these medical devices can be updated and patched at more regular intervals to secure the transfer of these sensitive data.
In an industry alert published by the Federal Bureau of Investigation (FBI), medical device hardware remains active for 10-30 years and about 40% of devices at their end-of-life stage offer no potential for updates or security patches. With on average 6.2 vulnerabilities per device, there is a clear and warranted need for change.
The projected budget for cybersecurity in healthcare is also trending in the right direction, where it should hit $27 billion by 2025 and almost double again to $58.4 billion by 2030. So far as the security of new medical devices is concerned, the manufacturing and aftercare process is being adjusted in both the US and EU markets to accommodate for better security and longevity.
The introduction of new medical devices will also mean that the future of HDOs will be secured from unfixable vulnerabilities that are currently present on legacy devices. To utilize this staggering budget effectively, understanding the state of ransomware and the severity of threats to medical devices will allow MDMs and cybersecurity experts to adapt the protection process accordingly.
It is, however, a constant and vicious cycle, where criminals upgrade their attack methods to combat the rising defenses. The state-of-the-art devices of today will inevitably be the legacy devices of tomorrow, thus making communication and adaptation vital for the survival of current and future patients.
How Are Medical Devices Exposed?
With improvements on the way as the FDA and EU implement new cybersecurity requirements for MDMs, the current state is coping as best it can. According to a recent report by Cynerio, about 53% of connected medical devices have at least one critical vulnerability. To put this into perspective, about 38% of a hospital’s IoMT is made up of IV pumps and 73% of them have at least one vulnerability. That’s a substantial field of vulnerability.With the industry having such a wider area of vulnerability, HDOs have become the primary target for the bulk of cybersecurity threats. In another report, over the course of 2020, the healthcare industry paid about $20.8 billion in downtime, which was about double the number from 2019. Moreso, when looking at the number of patient records that had been affected during 2020, there had been an increase by 470% since 2019, with $2.1 million being paid in ransom for patient data.
Image 1: Affected medical devices
The good news however is that HDOs who were affected by ransomware in 2022 are becoming more resilient and in 99% of cases, have been able to recover the data and restore their operability. The most common method of restoration is backups, though only 73% of them are encrypted, whereas other HDOs have admitted to using multiple ways of restoration to achieve cyber resilience.
The data suggests that HDOs are doing the best they can with restoration after ransomware attacks, though they are in dire need of more effective cybersecurity solutions on both the defensive and recovery aspects. Since MDMs control the design of the device, the adoption of a security management plan will attend to the security risks throughout the lifecycle of the device, ensuring the device attack surface is limited and improving the overall security posture of the HDO.
What Are Common Threats to Medical Devices?
With MDMs looking to improve the cybersecurity of medical devices, there are a number of critical vulnerabilities that when exploited by a bad actor can lead to access deeper into the HDO network or other negative outcomes. Some threats are designed to execute arbitrary code to grant unauthorized access (Apache Log4j), while others rapidly spready through computer systems, to lock important files (WannaCry and Maui ransomware) or just force devices on the network to communicate without authorization (Urgent/11).By looking at the effectiveness of just this selection of threats, it’s apparent that bringing cybersecurity to the forefront of medical device design and implementation is the right move to ensure adequate protection against threat actors for the foreseeable future.
Cybersecurity, particularly for medical devices, is challenging and as such should be approached with a joint effort by all stakeholders involved from the design team at the device maker to the technician operating an MDI machine. Training and communicating the evolving best practices help to raise awareness and benefit the development of stronger security measures. There is little that can be done if only the CISO has security in mind and the initial system architect (MDM), or frontline operator (HDO) don’t follow.
A report conducted in 2019 revealed that 56% of respondents couldn’t fully understand the risks that are associated with unmanned IoT devices, confirming that there is also an overwhelming lack of awareness of where the issue resides and whose responsibility it is to address it.
Since the lack of awareness is so high, those in charge may not fully grasp the ramifications of unprotected devices, nor possess the ability to adequately navigate the evolving nature of the cybers landscape. As many as 41% of the correspondents from the same report shared that they didn’t receive enough budget to invest in the necessary protective solutions.
How Can Medical Devices be Better Prepared?
With a wide range of medical devices to account for, the protective solutions will also vary, depending on the age and software of the devices. For all devices, the best approach thus far is to secure them from the design stage, rather than once they are already in circulation.The FDA’s 2022 premarket guidance draft stipulates that all MDMs should be designing their devices with cybersecurity at top-of-mind and that any devices that are new, be subjected to rigorous testing and meet the minimum requirements for the given market.
Before we look at the regulations there are a number of other methods that are worth noting:
- Raising awareness across the industry will help in identifying when there are issues present in medical devices. In this case, it may be possible to prevent a catastrophic event by simply taking the affected device offline. There are a number of non-profit associations (H-ISAC, Z-CERT, ANSSI to name a few) that organize the communication of new vulnerabilities for the healthcare industry. In some cases, the FBI also releases industry alerts providing insight into unpatched and outdated cyber-attack possibilities.
- Device monitoring helps to assess whether the device has any abnormalities in its functionality that could lead to a more substantial vulnerability. Typically, this involves establishing a baseline of performance and then reviewing the medical device at regular intervals to check for irregularities. The two main approaches include: Network monitoring on the HDO side and assessing the medical device’s capability. Neither approach affects patient outcome, nor exposes Personal Health Information (PHI).
- Recovery from malware is an overlooked element of keeping HDOs operational. With the rise in ransomware attacks, the recovery element functions also as a deterrent. By storing backups offline, major companies can restore their data quickly without even having to engage with their attackers. This method has also been lowering the ransomware payoffs.
- Public Key Infrastructure (PKI) is a set of cybersecurity tools that are used to facilitate the secure electronic transfer of information over a given network. Fundamentally, a PKI manages the use of digital certificates and public keys for encryption allowing for devices to have their own identity, integrity and method of authentication. Using a PKI allows for a longer-term view on effective and trustworthy encryption protocols.
Image 2: Preparing medical devices
Employing these methods would help in the interim whilst the newer medical devices meet the new cybersecurity guidelines for a more secure future.
What is the Current State of Medical Device Regulation?
To secure the future of medical device design, legislators have informed the MedTech industry about a number of cybersecurity regulations that all MDMs will need to abide by in order for their new devices to reach their respective markets. By having a more consistent and technologically rigorous approach to device design, the industry can ensure a harmonized approach and heightened standard to medical device cybersecurity.For the European region, MDR 2017/745 and IVDR 2017/746 cover the majority of newly designed medical devices, aiming to ensure that all medical devices released are fit for the new cybersecurity challenges and can be patched in the years to come. The documents detail new essential safety requirements for all medical devices with programmable systems, as well as Software as a Medical Device.
There are a couple extra legislative acts that apply in parallel to MDR, which include both the NIS2 Directive and GDPR legislative acts. These are relevant to both the cybersecurity of medical devices, as well as the operators dealing with the protection and storage of personal patient data. Furthermore, the EU Cybersecurity Act introduces a cybersecurity certification framework intended to strengthen the protection for IT processes, products and services.
At a global level, the International Medical Device Regulators Forum (IMDRF) published a document called ‘Principles and Practices for Medical Device Cybersecurity’. Additionally, the Medical Device Coordination Group (MDCG) also released a guidance document on cybersecurity for medical devices, called ‘MDCG 2019-16 Guidance on Cybersecurity for Medical Devices’. While the MDCG document does contain references to the IMDRF document, both describe basic principles for ensuring cybersecurity throughout the lifecycle of the medical devices.
What are the Next Steps for the MedTech Industry?
The ongoing digitization in healthcare is populating the market with new opportunities for MDMs and improvements in patient care. With this development, new types of safety, security and privacy risks to medical devices are becoming more prominent and to ensure the security of new medical devices globally, state-of-the-art regulatory frameworks are mandatory.The European Association for Medical Devices of Notified Bodies (Team NB) released a position paper in late 2022 with the intension of helping the cybersecurity conformity assessments to become as efficient as possible whilst maintaining the quality. The position paper outlines the harmonization of regulatory requirements, bringing coherency and consistency to the competitiveness of cybersecurity within the European and international markets.
Image 3:Team NB recommendations
In addition, there is also a lot of current confusion and overlap between a number of the main regulations for both the US and EU markets. In particular, the IT network characteristics and IT security measures for both the pre- and post-markets.
The globalized harmonization of these regulations at least makes conformity easier, but also helps to bring the effective cybersecurity defense to a similar level across both the EU and the US.
Image 4: Global harmonized regulations
When the practices are standardized, the cybersecurity industry can work to build a more secure future across a unified front, ensuring that medical devices worldwide and secure and that everyone contributes to patient safety.
Steeve Huin is COO of Connected Health at Irdeto. He is a seasoned cybersecurity executive with nearly 20 years of experience in building products, driving engagement and revenue within the cybersecurity domain. Huin has wealth of market knowledge and experience in the video entertainment, mobile gaming and connected industries such as healthcare and transport.
Huin holds a Master’s degree in Software Engineering and is well-versed in the international business landscape, having held key strategic positions in the Netherlands, Canada and China throughout his career. Prior to his current leadership role at Irdeto, Huin was Co-Chief Executive Officer at International Datacasting Corporation (IDC), a technology provider to the world’s premiere broadcasters in Canada.
Lucas Catranis is the Director of Connected Health Solutions at Irdeto. His responsibilities include overall product management of Irdeto’s connected health portfolio as well strategic relationship management. Catranis joined Irdeto in 2013 as a Sr. Engineer tasked with building Irdeto’s Service Operations Capabilities and then moved into a product management role in the Cybersecurity services team in 2015. In 2018, Catranis took on the role of the Chief of Staff to the Irdeto senior leadership team, where he worked cross-functionally to assist the various business leaders with the development of Irdeto’s long term strategy and business plans.
