28 Oct Column | Remote, Telehealth-Driven World Poses New Concerns…
Increased use of telehealth, forced by the global COVID-19 pandemic, arrived at a time when heightened connectivity of medical devices to computer networks and a convergence of technologies already exposed devices and software applications to a variety of threats. The need to protect patient data from cyberattacks is well understood, but the potential risks from such hacking for clinical care and patient safety haven’t been addressed adequately by healthcare organizations, regulators and medical device manufacturers.
The inherent security risk with medical devices is that they can potentially expose both data and control of the device itself to attack. This exposure creates a tension between safety and security, which requires greater stakeholder collaboration to address, particularly in design and regulatory approaches. Put simply, medical device engineering has focused on medical safety for patients but has not sufficiently dealt with cybersecurity for the devices, despite some innovation.
In the age of telemedicine and increased cybersecurity risk, how can healthcare organizations, regulators, medical device manufacturers and consumers ensure their safety?
Demand for Telehealth Will Keep Rising
In 2020, the telehealth market is experiencing a tsunami of growth, and Frost & Sullivan forecasts a year-over-year expansion rate of 64.3% in the United States. “The challenges presented by the COVID-19 pandemic have obliterated the normal growth sequence for telehealth,” the consulting firm said in an April 2020 report.
The unexpected dependence on telehealth this year, in tandem with the increased network connectivity of medical devices and converging technologies, has exposed vulnerable devices and software applications to cyber incidents.
Risks are expected to continue to increase with the gradual adoption of the Internet of Things (IoT), or connected devices, by healthcare organizations and consumers. All these factors have enabled increasing integration of hospital enterprise systems/information technology (IT), clinical engineering (CE) and suppliers through remote connectivity. This increased adoption will be revolutionized further by cloud-based services and the use of big data analytics.
The domain silos of hospital enterprise systems/information technology and clinical engineering are being bridged by networking, exposing cybersecurity weaknesses, and revealing poor stakeholder communication, legacy technology, security vulnerabilities and inadequate device management. Medical device engineering up to now has focused more on patients’ medical safety. In fact, technology convergence is creating new attack pathways and cybersecurity risks as older, less secure medical devices continue to be used. For example, newer devices using older Bluetooth protocols such as blood glucose monitors, pulse oximeters or asthma inhalers could all be affected and provide inaccurate results.
Increased connectivity, wireless technologies, and “hyper-connectivity” often create positive new opportunities for service delivery, remote monitoring and diagnostics, but may also foster unforeseen consequences.
According to the U.S. Department of Health and Human Services, “there has been an increase in cybersecurity breaches in hospitals and healthcare providers’ networks which may be due to COVID-19. Between the months of February and May of this year, there have been 132 reported breaches, an almost 50% increase in reported breaches during the same time last year,” according to Healthcare Finance.
How Do Cybersecurity Breaches Happen?
Threats come from several sources and can be categorized as adversarial, natural (including system complexity, human error, accidents and equipment failures) and natural disasters. Adversarial groups or individuals, also known as “threat actors,” have varying capabilities, motives and resources.
One example, familiar to many in the security industry: Non-profit hospital system MedStar Health in 2016 received a cyber ransom note from hackers demanding a bitcoin payment to ensure Medstar’s continued access to its encrypted computer systems.
Notifications were displayed on infected computers, threatening loss of data after 10 days. Patient records for 10 hospitals and 250 outpatient centers were reported to be either unavailable and or could not be updated, and MedStar relied on paper backup systems. Patient operations were cancelled, and ambulances diverted. Nurses and doctors highlighted safety issues, from treatment delays to problems with test results and the administering of medication before normal operations could be resumed.
With connected medical devices, there is an increased vulnerability due to their connectivity to the internet, hospital networks, other medical devices, mobile computing and phones.
Preparing for Handling Worst-Case Scenarios
To increase patient protections, health IT providers and medical device manufacturers need to plan for the worst, asking tough questions such as:
- How do we secure patient data considering remote monitoring and transmission of diagnoses?
- What happens if data is manipulated or altered through a non-secure connection?
- How do we guard critical, life-giving devices such as remote infusion pumps or pacemakers?
Medical device security has become a primary healthcare security concern after several high-profile incidents like the Medstar aggression. Justifiably so, given that a device infected with malware has the potential to shut down hospital operations, expose sensitive patient information, compromise other connected devices—and harm patients. Medical device manufacturers and healthcare organizations need to move swiftly to implement safeguards to reduce the risk of failure or misuse in the event of a cyberattack.
A common issue in IoT and medical device technology is the limitations found in hardware resources, power, memory and CPU. Ensuring the device can perform robust and resilient secure communications means implementing light-weight mutual authentication mechanisms that provide authenticity of the devices and server, in addition to simply encrypting the communications.
IoT device manufacturers should also avoid using a “Security Through Obscurity” approach or assuming that proprietary and obscure protocols are enough to avoid attention. For example, the Low Power Wide Area Networks (LPWANs) that connect IoT devices are…