As time goes by, the effective operation of more and more medical devices depends on software transmitting and receiving information on patients via internet to and from other software, a link without which the device is unable to function properly.
Such systems offer dramatic health benefits in functionality and immediacy, but they also bring with them an inevitable cybersecurity risk, potentially threatening not only the patients connected to such devices but also the entire digital infrastructure upstream of individual users.
These risks have been dramatized in films and TV series, but they are by no means fictional: it has been scientifically demonstrated that connected pacemakers and insulin pumps could be remotely manipulated and used to potentially kill their wearers. This risk was particularly widely publicized when the former Vice President of the United States Dick Cheney revealed that he had requested the disablement of his defibrillator’s wireless functionality on account of worry over cyber-hacking.
The safety, security and privacy of patients must urgently be protected, and the providers of software for medical devices must work with regulators and the wider industrial context to put stringent measures into place towards this end.
The FDA neatly summarized many of the main concerns in the press announcement concerning its final guidance on Content of Premarket Submissions for Management of Cybersecurity in Medical Devices.
“The FDA’s concerns about cybersecurity vulnerabilities include malware infections on network-connected medical devices or computers, smartphones, and tablets used to access patient data; unsecured or uncontrolled distribution of passwords; failure to provide timely security software updates and patches to medical devices and networks; and security vulnerabilities in off-the-shelf software designed to prevent unauthorized access to the device or network.”
Proactive and dynamic communication between industry and regulators will be a crucial factor in developing a united front against both intentional and accidental threats. Once responsibilities have been clearly defined, clear targets and language will play an important part in this process. Outside the health industry, another key stakeholder must urgently be engaged to head off this threat: the patients. Patients and the groups representing them certainly can and will input extra security to devices if they are informed on how to minimize the risks associated with the devices they interact with.
One of the areas which the FDA and industry could usefully work on improving is the lengthy and expensive certification process for software: this means that companies are slow to patch software for fear of having to re-submit for re-verification following each patch. This system potentially leaves medical devices vulnerable, like sitting ducks in a rapidly evolving and threatening ecosystem.
The topic of security in medical devices was frequently dealt with at the Software Design for Medical Devices Europe Conference in Munich, Germany on 27th-28th January 2015… particularly in the sessions titled “From ISO 27000 to Secure Processes and Products” and “Cloud Computing - How Connected Is Your Device?”