How Should Europe's Medical Device Industry Manage the Cyber Threat?
Medical device cybersecurity is a crucial issue for the healthcare industry ‒ manufacturers must learn to manage risk effectively.
In the fast-moving world of cybersecurity, what might be considered science fiction can very often become reality almost overnight. Five years ago, the US espionage series Homeland featured what seemed an unlikely plot device at the time ‒ the show’s anti-hero was able to assassinate the Vice-President by hacking into the system that controlled his pacemaker. Today, however, the threat of a similar cybersecurity attack is keeping many in the medical devices industry awake at night.
The scale of the opportunity that medical devices offer to hackers, cyber criminals or even terrorists is frightening. A recent study from the European Union Agency for Network and Information Security pointed out that while “smart hospitals” with devices connected to the internet offer huge potential benefits, they also open up tens of thousands of potential network vulnerabilities – everything from mobile phones hooked up to hospital wifi networks to sophisticated medical equipment. Each device provides a potential route into the system for bad agents – and in many cases these devices have been designed with little or no security to deter the hackers.
Medical Device Cyber Risks
The risks with medical device cybersecurity are numerous and desperately serious. Hackers able to gain access to healthcare systems may be able to steal sensitive medical data or hold the organization hostage with a ransomware attack that would have devastating consequences for patients – exactly what happened to the UK’s National Health Service in 2017. Even worse, a hacker could take control of the provider’s technologies – to shut down a life support machine, say, or cut off the power supply of an entire hospital.
Faced with such huge medical device cybersecurity risks, healthcare providers might be tempted simply to tell manufacturers that they no longer require connectivity. However, even if it were possible to somehow put the genie back in the bottle, the very real benefits that connected devices offer would make this a retrograde step.
Indeed, both healthcare professionals and patients are committed to connected devices, which bring advantages such as a reduction in health care visits, earlier detection of medical events and better communication between patients and doctors. Then there are potential cost savings in hospitals and across the healthcare network in addition to these improved patient outcomes. Market research firm Ipsos Mori says adoption rates in some European countries are already as high as one in seven.
The challenge, then, is for medical device manufacturers and the healthcare industry to work together to ensure devices are designed, right from the earliest stage, with cybersecurity in mind, and manufactured with the latest controls built in.
Public authorities will increasingly demand this. European Union policymakers are already including cybersecurity criteria in their product approval guidelines, with the Medical Devices Regulations that came into force in May 2017, and the more general EU Cybersecurity Directive, which gives providers of essential services until November 2018 to reach compliance.
Medical devices manufacturers pondering how to respond to these regulations will find useful common ground in guidance and regulation designed with broader industrial controls systems in mind. In the UK, for example, the National Cyber Security Centre has published Security for Industrial Control Systems, which sets out good practice for securing a wide range of connected devices.
Managing Medical Device Cyber Risks
But the industry may also need to take a step back. In order to manage medical device cybersecurity risk, designers and manufacturers need to develop a common understanding of where this risk is to be found, as well as common standards for all stakeholders – from manufacturers to service providers to network operators.
Several important cybersecurity risk management frameworks can play a crucial role here. Secure product design and lifecycle management will be an important part of the mix. Security audits and assessments – both self-evaluations aimed at assessing cybersecurity maturity and independent inspections – will ensure continuing compliance. Procurement will also be involved in the conversation.
Medical device manufacturers must also be prepared to share much more information – a potential culture shift in an industry where intellectual property is a drive of competitive advantage. By pooling knowledge about both the nature of the threat and the potential remedies, through formal and informal sectors, manufacturers will improve cybersecurity across the industry.
Finally, the medical devices industry, like other sectors, now has to recognize that the fast pace at which cyber attackers change goals and methods means defences cannot be static. Manufacturers need best-practice risk management structures and frameworks – employing a suite of tools such as a centralized risk registers, risk matrices and FMEA, and improving problem solving strategies (5 Whys, Fishbone Diagram, Fault tree) – in order to identify the true root cause or causes and stay one step ahead of the attackers.
- Medical devices represent an opportunity to cyber attackers and a serious risk to the healthcare sector
- Devices must now be designed and developed with the highest levels of security incorporated from an early stage
- Medical device manufacturers need a risk framework that enables them to address cybersecurity throughout their organizations
Get practical guidance on risk management systems, and processes such as the risk matrix. Download The Risk Management Handbook: Supporting a Quality Culture Across Your Business