The changing landscape of healthcare cybersecurity

There has been exponential growth in types of medical devices, often connected to smart devices such as mobile phones, tablet computers and wearable devices, which also run medical applications/software. These devices are already found in homes today. The inherent security risk with medical devices is that they can potentially expose both data and control of the device itself. This raises a tension between safety and security, which requires greater stakeholder collaboration to address, particularly in design and regulatory approaches. These stakeholders now include regulators, device manufacturers, healthcare organizations, IT suppliers, and patients themselves.

Risks are set to increase further with adoption of the Internet of Things (IoT) by healthcare organizations and consumers. The convergence of networking, computing technology and software has enabled increasing integration of Hospital Enterprise Systems/Information Technology (IT) and Clinical Engineering (CE), and suppliers through remote connectivity. This will be revolutionized by cloud based services and the use of 'big' data analytics.

The domain silos of IT and CE are being bridged by networking, exposing cybersecurity weakness and exacerbated by poor stakeholder communication, legacy technology, security vulnerabilities and inadequate device management. Medical device engineering has focused upon medical safety to safeguard patients, but has not sufficiently addressed cybersecurity, despite innovation. In fact, technology convergence is creating new attack pathways and cybersecurity risks with the implementation of new technology, yet older medical devices continue to be utilized, which are often not secure and are poorly managed. Increased connectivity, wireless technologies and 'hyper-connectivity' continues to create new opportunities for service delivery, remote monitoring and diagnostics, but may also create unforeseen consequences. Cyber incidents arising from potential adversaries, who may inflict cyber-attacks, have significantly increased.

Medical device security has become the primary healthcare security concern following a number of high profile incidents. Justifiably, given a device infected with malware has the potential to shut down hospital operations, expose sensitive patient information, compromise other connected devices and harm patients.

New approaches to dealing with increasing cybersecurity threats have recommended all parties collaborate to identify and assess cyber risks and threats, plan mitigations and appropriate incident response to ensure patient safety and security.

This is an excerpt from the white paper Cyber security of medical devices.  To download our other medical device white papers, please visit the Insight page on the Compliance Navigator website.