Our awareness of the medical device security problem has been increasing over the past 12 years. For all practical matters, the event that put it on the map for most of us was an IEEE research paper by Kevin Fu and team, laying out their successful hack of an implantable cardiac defibrillator (ICD). Since then, a lot has happened, and as an industry we certainly have matured.
Yet, at the same time, we do need to challenge ourselves by asking: Are we there yet? I am afraid, as the current global pandemic has highlighted that perhaps we have to recognize that we are not.
We certainly have seen a lot of valuable contributions from the regulatory community, as for example through evolving guidances in North America, Europe, and Asia-Pacific, and most recently through the publication of the final guidance by the International Medical Device Regulators Forum (IMDRF). Further, we have seen a maturing standards landscape addressing healthcare providers (AAMI/ISO/IEC 80001 series), device manufacturers (AAMI TIR 57 and TIR97), as well as providing better definition of the communication between the two parties through an update of the Manufacturer Disclosure Statement for Medical Device Security (MDS2) and the ongoing NTIA Software Component Transparency (commonly referred to as SBOM) project. Lastly, numerous initiatives have been launched to facilitate education and communication between stakeholders, as for example the Healthcare Information Sharing and Analysis Organization (H-ISAC) or AAMI’s focused cybersecurity track at the AAMI Exchange.
If we look at today’s approach, it is largely process-driven and based on information sharing (SBOM, vulnerability disclosure) and reactive mitigation (e.g., patching). Although individual manufacturers are building security engineering competence and are incorporating security requirements into their engineering life cycle management processes, a general consensus on how to best do this has yet to emerge.
Similar, practical restraints on the healthcare organization side have limited the effectiveness of medical device security programs. Although notable efforts exist, so far they often have been idiosyncratic, have failed to scale across the industry, are still largely reactive and process driven (e.g., depending on vulnerability disclosure and patch distribution), or are limited to addressing the problem “on the outside” through network-based anomaly detection solutions. Certainly, a worthwhile effort but still limited in effectiveness and impact.
We need to ask ourselves if this reactive approach will lead to a sufficiently secure state across the industry. Or, in other words, will we ever be able to patch fast enough and complete enough to become secure enough? I believe the honest answer has to be “no.”
What it will take to fundamentally change the security posture of our medical device ecosystem is proactive security—meaning designing the appropriate security technology into our devices from the get go. For that, we need to establish design best practices, the ability to test and provide assurance that devices meet their intended security targets, and make security technologies available that meet the unique medical device use case requirements.
Unfortunately, the ongoing COVID-19 crisis has just moved the goal posts on us. Not only have cyberattacks on healthcare organizations been increasing, be it purely out of opportunity and benefiting from us being distracted, be it for a specific purpose like the theft of intellectual property on treatment and vaccine developments, or to support a political agenda.
I am sure there will be many lessons learned and we will emerge from this crisis as a better healthcare system. This should include some serious considerations around medical device security. For example, I assume that we will undertake steps to improve our stockpile of medical equipment. This means that security will need to be designed in as it is impractical to maintain security (e.g., through patching) of warehoused devices, nor is it likely that we will have the time to upgrade devices if they need to be deployed in the next crisis. In addition, this will require capabilities to track devices and monitor for security events once they are being deployed.
Another consideration is around the security posture of our telemedicine infrastructure. In the current crisis, we have moved to making more health services virtual, and I assume that much of this will remain. We will also see more critical services move into patients’ homes to improve efficiency, reduce costs, provide a friendlier environment for patients, and be better prepared for future surge events.
In summary, between the practical limitations of the current industry approach to medical device security and the experience from the recent pandemic, we will need to recognize the importance of making security proactive and not an afterthought. Security needs to be designed into devices from the ground up. This will take time, but we will be in a better place for it.
Axel Wirth is chief security strategist at MedCrypt and a member of AAMI’s BI&T Editorial Board.
Vidya Murthy is vice president of operations at MedCrypt.