Securing Internet-Connected Medical Devices

Lions and Tigers and Bears — Oh My!

Upon arrival in an unfamiliar landscape in The Wizard of Oz, Dorothy observed, “Toto, I’ve a feeling we’re not in Kansas anymore.” Encounters with flying monkeys, organ-deficient companions, cheerful munchkins and a water-averse witch soon became her new normal.

For us, the new normal involves the accelerating adoption of internet-connected medical devices and virtual care models — the “internet of medical things” or IoMT, which is defined by Deloitte as a “connected infrastructure of medical devices, software applications, and health systems and services.”

The global demand for medical devices — from both individual consumers and health care providers — is huge. In the U.S., that market was estimated to be $160.8B in 2019 and is predicted to reach $176B in 2020. Meanwhile, a report published by research firm Fior Markets expected growth in the global medical device connectivity market from $1.63B in 2019 to $8.76B in 2027.

It’s Alive!

In another famous story, Baron Victor Frankenstein, Mary Shelley’s mad doctor, used simple sewing techniques to piece together the various body parts of his creature, which he then activated with the 19th century version of electroconvulsive therapy. Technology in the 21st century has not yet achieved this capability, although transplants, reattachments, prosthetics and implants — many of which are “smart” (i.e., connected) or manufactured using additive manufacturing and 3D-printing tools — are not uncommon.

Because of this, IoMT represents a more personal aspect of cyber-physical convergence than that seen in other IoT applications — they enter our intimate physical “trust zone.” Patient safety and privacy can be impacted if a device or the manufacturing process of a device is compromised. Such potential has spawned concerns about ethical use and technical capacity to protect privacy, cybersecurity and essential device performance.

Managing the IoMT infrastructure effectively requires consideration of many moving, often autonomous, parts, including:

• Quality control in the manufacturing process.
• Interoperability of medical information stored on multiple devices.
• Reliance on cloud storage and software platform.
• Monitoring network communications.
• Meeting expectations of medical professionals.

IoMT is increasingly part of our life fabric. Building data privacy, device integrity and cyber resiliency into the design and manufacturing of medical devices and equipment is essential.

Who You Gonna Call?

The eccentric scientists in Ghostbusters used parapsychological tricks to ferret out unwelcome specters. Standards and guidelines¹ for medical device manufacturers address collaboration, quality issues, risk and security management, use-case scenarios, and outline practices to identify and eradicate any unexpected “ghostly” behaviors in medical devices. This helps to enhance control over device performance “as designed” and “as built” (even if control over devices “as used” is more elusive).

The International Medical Device Regulators Forum (IMDRF), a voluntary organization, assembled a Medical Device Cybersecurity Working Group, which released its “Principles and Practices for Medical Device Cybersecurity” in March 2020.

This document does not address cybersecurity within the enterprise itself but does discuss the responsibility of medical device manufacturers to enhance product cybersecurity resilience, remediate vulnerabilities, and mitigate risk through the design/development, manufacturing, testing, and support/post-market monitoring stages of the total product lifecycle (TPLC). Its recommendations for manufacturers include development of a TPLC cybersecurity management plan to address the following:

• Situational awareness.
• Vulnerability disclosure.
• Updates and remediation.
• Recovery.
• Evidence that the manufacturer is staying informed about disclosed vulnerabilities and sharing those it has identified.

One risk management technique in particular that can be useful is threat modeling. The Open Web Application Security Project (OWASP) recommends that manufacturers ask the following four questions during design and development:

1. What are we building?
2. What can go wrong (e.g. how could it be attacked)?
3. What are we going to do about that?
4. Did we do a good enough job?

Planning for and building cybersecurity resiliency into medical devices throughout the TPLC from defining performance requirements through delivery into — and retirement from — service will result in products that deserve our trust.  

They’re Heeeeeere!

Poltergeist explores the disruptions created when commercial, profit-based activities disregard ethical, humanist concerns and take shortcuts that lead to unintended consequences and collateral damage. The stakeholder community has collaborated on an initiative to prevent such disruptions in the medical device manufacturing sector, which falls under two of the 16 critical infrastructure sectors identified in Presidential Policy Directive 21 (PPD-21): health care and public health, and critical manufacturing. Plus, in 2015, the U.S. Congress passed the Cybersecurity Act of 2015 (CSA), which includes requirements to align health care industry security approaches.

The Joint Cybersecurity Working Group of the Healthcare and Public Sector Coordinating Council, a public-private partnership with the U.S. Department of Health and Human Services, lists technical best practices for medical device manufacturers including:

• Minimize attack surfaces.
• Establish secure defaults and configuration.
• Maintain audit and accountability.
• Follow principles of least privilege, separation of duties and defense in depth.
• Fail securely.
• Keep security simple and fix security issues correctly.

Anyone who has worked through the NIST SP 800-171 security control requirements will recognize elements of its 14 control families captured in the above summary of best practices. They are tried and true — and fundamental to informed rather than blind trust.

Whether it’s preventing disastrous shortcuts, containing malicious phantoms (or squirrels), or stitching together a multi-node device solution, with regards to medical devices we’re in a new normal. Luckily, we can move to a safer, more deeply aware relationship with technology. We just need to delve further into the IoMT movie script to understand the component parts, how they interact and how to avert mishaps.

This blog is part of a series published for National Cybersecurity Awareness Month (NCSAM). Other blogs in the series include Creating a Culture of Security by Celia Paulsen, If You Connect It, Protect It by Zane Patalive, Suspicious Minds: Non-Technical Signs Your Business Might Have Been Hacked by Pat Toth and The Future of Connected Devices by Erik Fogleman and Jeff Orszak.

^{1 Examples: Association for Advancement of Medical Information (AAMI) - https://www.aami.org/medical-device-manufacturer; Food and Drug Administration - https://www.fda.gov/medical-devices/digital-health-center-excellence/cybersecurity#guidance; International Electrotechnical Commission (IEC) - https://www.iec.ch/perspectives/government/sectors/medical_devices.htm; International Organization for Standardization (ISO) - https://www.iso.org/iso-13485-medical-devices.html; Underwriters Laboratories (UL) - https://www.ul.com/resources/healthcare-standards-directory}