Cyber Security: Securing patients’ health

When talk of cybersecurity arises, many people may remember the chaos WannaCry caused. While it impacted many industries, one of the eye-catching places it hit was the NHS, where it locked out almost 20,000 diagnostic devices.

A contributing factor to cybersecurity-related issues associated with medical devices is the lifespan of some devices. In some cases, this can be up to 25 years which results in the lifespan of the medical device outlasting some of its components such as operating systems.

On top of that, not only is there a higher chance of either operating systems or components no longer being supported by vendors, the time and cost it can take to develop a patch, validate it and deploy it can be a significant undertaking for both manufacturers and hospitals.

Anita Finnegan, the founder and chief executive of Nova Leah, said there are three main factors behind enhancing device security: confidentiality, integrity and availability. When you bring medical devices into the equation, one other factor has to be considered.

“For medical devices, all three of these security objectives are considered coupled with a specific focus on patient safety,” she said. “By way of example, assuring confidentiality would be to protect against the exposure or theft of protected health information (PHI).”

PHI is a critical asset managed by a device or system and contains information such as patient medical history, test results, insurance information, and so on. It is also valuable to malicious individuals who want to obtain such records because of the associated monetary value, said Finnegan.

Stolen credit card records fetch $30 on the black market, electronic medical records are worth up to $1,000 because of the additional information that comes with them.

“Electronic medical records have a longer lifetime in comparison to a credit card record,” Finnegan said. “The largest confidentiality breach was recorded in 2015, when a healthcare insurance provider in the US, Anthem, was hacked, leading to the theft of 78.8 million patient records.

“Considering integrity, security measures are required to ensure a medical device or the data it manages cannot be manipulated.

“Manufacturers of devices such as infusion pumps, insulin pumps, etc, must develop these devices to adequately secure the data in the drug library so that it cannot be changed. Manipulation of a drug library could result in a patient receiving the wrong dosage of drugs.

“Finally, medical device availability is another critical factor. Devices must be able to perform certain actions when patients most require it.”

There have been many examples of medical security going wrong, said Finnegan, ranging from WannaCry to medical device maker Abbott having to recall 465,000 pacemakers.

The latter was due to a vulnerability that, among other things, could allow a hacker transmit commands to the device that would drain the battery. It meant the pacemakers would not send electrical pulses to a patient’s heart if the heart rhythm was too slow.

Thankfully no patients were harmed by the vulnerability - each patient using the device had to visit a consultant to receive a firmware update - but it does show how careful medical device manufacturers have to be when creating these products. Skimping on security controls or failing to look at the wider picture can have major consequences.

There’s no shortage of such devices out there, with the last decade seeing the rise of IoMT (Internet of Medical Devices), allowing more devices to be equipped with wireless or networking capabilities. Even traditionally analogue devices or objects can be connected to the internet, bringing major benefits to medical professionals and patients.

“Not only can digital devices such as heart monitors be connected to the internet but so can non-digital items like hospital beds and pills,” she said. “Essentially, IoMT lets medical equipment and healthcare products share data in real time, with anyone who has a legitimate need for the information.”

While the benefits are vast, the major downside is when you place said devices on a network, you open them up to a range of attacks.

This has been noticed by relevant parties such as the US Food and Drug Administration (FDA), which published cybersecurity regulatory requirements where manufacturers must conduct a cybersecurity risk assessment and provide evidence of doing so. It followed it up with additional regulations which require manufacturers to monitor products already in the market continuously.

“Manufacturers do not need to report updates to devices that result from a newly discovered vulnerability providing they work with, and report to, an information and analysis organisation (ISAO),” she said.

“All of this means additional resources for manufacturers, additional people and additional time to bring a product to market and to monitor and maintain a device while in the market.”

Evolving industry

With the FDA being first movers, the relevant bodies in Australia and Canada are in the process of publishing draft cybersecurity regulations.

Finnegan says the industry is on a journey towards greater transparency between key stakeholders and there are a number of initiatives in the works to improve collaboration and information sharing.

“Many manufacturers and healthcare providers are sharing cyber-related information with an ISAO such as H-ISAC (Health Information Sharing and Analysis Centre) and MedISAO (the Information Sharing and Analysis Organisation for Medical Devices),” she said.

In Nova Leah’s case, it helps medical device manufacturers by monitoring vulnerabilities in connected products through its solution SelectEvidence. Finnegan explained that it’s designed to be an “expert system to better inform engineering and product security teams through the process of conducting a cybersecurity risk assessment”.

“First and foremost, SelectEvidence is a compliance management solution meaning that the platform meets each and every line item from FDA’s premarket and post-market cybersecurity regulation,” she said.

“The platform also identifies potential vulnerabilities associated with a medical device. In the event that a vulnerability has been identified, SelectEvidence sends an alert to the user who can then log into the system to assess the vulnerability. “For each vulnerability identified, SelectEvidence identifies the fix, be it a software update or patch or some compensating controls. As soon as a risk assessment has been set up, SelectEvidence kicks into continuous monitoring mode, scanning the software bill of materials for new vulnerabilities on an ongoing basis.”

The solution was the result of Finnegan’s PhD research at the Regulated Research Centre (part of Lero, Science Foundation Ireland’s research centre) in Dundalk Institute of Technology (DkIT). Her research saw her develop a framework which would allow connected medical device manufacturers to demonstrate confidence in the security of their devices.

That relationship with DkIT and Dundalk as a whole has helped Nova Leah become the company it is today, helping it secure funding and aid its plans for further expansion.

“The success of our spin-out is a testament to the work being carried out by RSRC directed by Dr Fergal McCaffery and the support we received from DkIT’s technology transfer manager Neil McLoughlin,” she said.

“Since the spin-out, DkIT and Nova Leah have once again been successful in obtaining follow-on funding under the Disruptive Technology Innovation Fund. We’ve had a lot of success together, so a continued collaboration makes perfect sense.”

The company is expanding in a number of ways including its team size, market and product development.

“We’ve been very fortunate to have been awarded funding under the Disruptive Technology Innovation Fund for two projects which will get under way in the coming months,” Finnegan said.

“We plan to raise a Series A in early 2020, of which the proceeds will allow the company extend to new markets such as Canada and Australia.”