Controlling medical device cyber risk

Managing cyber threats across the Internet of Things

MRI scanner and medical devicesMedical device interoperability across the Internet of Things (IoT) has witnessed remarkable growth in recent years as companies have continued to expand their product portfolios through mergers and acquisitions, innovation in technology, and partnerships with third parties. The latest generation of medical devices such as infusion pumps, electrocardiograms, blood pressure monitors, and others offer the convenience of online health monitoring capability, improved efficiency, and reduced treatment errors. Conversely, the growth driven by innovation in this sector has put medical device manufacturers, healthcare providers and consumers at a higher risk than ever before—patients’ lives could even be at risk. This presents a variety of risks for medical device companies, including potential financial penalties and damage to their brand and reputation, a risk that cannot be easily quantified in dollars. Medical device companies must act now to understand their current risks while planning to control future concerns without sacrificing the advances that are making products more effective and efficient.

In 2017, the ransomware “WannaCry” spread across the globe infecting as many as 200,000 Windows based computer systems. This attack extended to hospitals globally including the United Kingdom and United States (US). In the US, the most recent ransomware compromise reported in a healthcare organization was of a radiology device designed to help improve imaging.  An article in Forbes illustrated how the ransomware infected imaging equipment in a US healthcare organization and how, if the network had been compromised, the attack could have spread to all Windows-based medical devices within the organization. This could have led to the shutdown of critical systems providing patient support and directly impacted patient safety. The WannaCry attack was not an anomaly. Millions of medical devices have been recalled in recent years due to errors, product flaws and security concerns.

Interoperability drives effectiveness – and riskThe increased interoperability and effectiveness of medical devices is demonstrated in clinical settings. The average hospital bed has multiple medical devices connected to a patient at once. These devices tend to source from different manufacturers and, as a result, require software support to exchange information in the standard healthcare code language known as Health Level 7 (HL7). Efforts to create this interoperability between the devices can potentially create unknown security threats and exposure. These risks should be addressed by organizations by conducting risk assessments to evaluate device security, by keeping devices patched (wherever possible), and by providing up-to-date training to keep device users abreast of security issues. In addition, healthcare providers should maintain a comprehensive asset inventory and tracking program to identify high-risk devices that store, process or transmit more than 500 patient records.

These include:
  • Care and service disruption that could lead to patient serious injury or death
  • Data breach that can compromise electronic protected health information (ePHI) or theft of Intellectual Property (IP)
  • Spoof email or fake websites to obtain staff login credentials or install malware

Did you know?
There are several regulations and standards governing medical device security best practices

  •  AAMI TIR57
  •  NIST 800-30, NIST 800-53
  •  ISO 14971:2007 Safety Risk Process
  •  ISO 2799
  •  ISO/IEC 27002
  •  ISO/IEC 15408
  •  UL 2900 Software Cybersecurity
  •  2900-2-1 For Healthcare Systems
  •  2900-2-2 Industrial Control
     Systems (ICS )
  •  Health Informatics IEC – 80001
On December 27, 2016, a final guidance was released by the Food and Drug Administration (FDA), informing medical device manufacturers of the agency’s recommendation for structured and comprehensive management of post-market cybersecurity vulnerabilities for medical devices. This included medical devices that have been marketed or distributed throughout the product lifecycle. As more devices, some of which are life-sustaining such as pacemakers or insulin pumps, become interconnected through IoT, the attack surface for cyber attackers broadens.

Regulators such as the FDA, the Office for Civil Rights, leading standards such as International Organization for Standardization (ISO) and other international regulations such as the European Medical Device Regulation (EU MDR) are increasingly looking to manufacturers and providers alike to protect patient safety and health information. This may require healthcare providers and device manufacturers to collaborate and coordinate in the interests of patient safety and information security.

Medical device strategy and governance drive product securityWith cyberattacks becoming increasingly sophisticated, the ability to compromise medical devices is at an all-time high. A number of the medical device recalls in recent years were associated with security weaknesses, unpatched systems and lack of security processes in product lifecycles. Organizations need to be proactive about implementing security measures that support long-term success. In addition to a formal strategy, clearly defined roles and responsibilities should be in place to provide accountability. 

A strategy to manage cyber threatsGrant Thornton follows a business-centric Align, Integrate, Measure (AIM) approach to cybersecurity that can provide a valuable framework to help medical device manufacturers and healthcare providers establish a disciplined, actionable cyber strategy.
Medical device cyber risk service catalog
With a strategy that aligns the various components of the industry growth and its challenges in place, medical device manufacturers and health care providers can pursue growth with confidence and provide better patient outcomes. The right strategy begins with asking the right questions, these include:

  • How are your business and medical device cybersecurity strategies aligned to help drive growth and innovation for long-term success?
  • How prepared are you to manage and address new mandates and regulations from federal/state agencies?
  • Do you have complete visibility of your asset inventory?
  • Do you know which assets store, process, and transmit patient health information?
  • How prepared are you to respond to a security breach?
  • How do you manage product vulnerability and patch management in post-production phase?
  • Does your risk management program align with product risk assessments?
  • Do you understand the threat landscape associated with medical device products?
  • How mature is your training and awareness program? Does it expend to healthcare providers and consumers?
  • Does your software qualify as a medical device? 
  • How are you managing third party risks for outsourced products/commercially off the shelf products?

Increasing connectivity and interoperability are driving innovative solutions in the medical device industry, making devices more effective, increasing efficiency and improving patient outcomes. However, they are also introducing new risks that medical device manufacturers, health care providers and even patients will need to work together to address. Collaboration will be key to ensure that security is embedded in the design, development, and maintenance processes to keep pace with the technological advancement of medical devices.  

Grant Thornton has professionals that can help navigate this complex landscape. Please contact us to discuss how we can help your organization prepare and react.

Contacts:  George Serafin, National Managing Principal
T +1 732 516 5580

Derek Han, Principal
T +1 312 602 8940

Vikrant Rai, Senior Manager
T +1 212 624 5212