Experts warn that it is embarrassingly easy to hack medical devices.
The reason is simple. Because connected devices are somewhat new to the industry, cybersecurity is a new concept as well – one that typically falls out of the wheelhouse of the device manufacture. To be sure, much education is still required to help get device manufacturers up to speed. But what is really needed is a culture shift across the industry.
What’s at Stake
The rise in connected medical devices has substantial benefits for patients and end users. However, there are also substantial, and rising, risks. Hackers can inflict their will to compromise:
- Patient safety
- Patient data
- Business profitability
- Brand reputation
The vast majority of cybercrimes are crimes of opportunity. And, unfortunately, there is plenty of opportunity in the medical device community.
The Traditional Culture: Designing to Prevent Patient Harm
Device manufacturers want to create devices that are safe and easy to use.
These companies are great about understanding how their devices work, and what potential risks and opportunities for harm exist within the use of that product. Their design teams work around these models to design a product that is safe to the end user.
What does that mean? It means they will design around intended-use cases and provide some basic protection against misuse. The problem with this approach, however, is that it assumes the user is going to be using that device in its intended manner.
What happens if the device is used in unintended ways?
The Emerging Threats: Expanding the Definition of Patient Harm
As technology advances, so must our definition of what defines a “safe” device.
The challenge facing today’s medical device manufacturers is that the definition of patient harm is expanding, both exponentially and rapidly. Hackers are introducing new ways to harm users of medical devices by stealing patient data, holding data for ransom, holding a device and its user hostage, or using a connected device as a pivot point into a larger network.
It’s no longer just about ensuring that our devices won’t harm someone — but also that our devices can’t be hacked and used to harm users or hospitals.
Many companies simply aren’t great about predicting or expecting these scenarios. The reality is that, to protect against these threats, we must design differently.
The Solution: Security Engineering
So, how does a company go about changing their culture to design devices that protect against all types of patient harm?
The answer is in something called defensive programming.
In traditional programming, you design a device for a specific use to work within a specific environment. Engineers assume that the environment in which their device will operate is safe—that nothing in the environment will attack or infiltrate the device. That type of programming opens the door to all sorts of vulnerabilities.
Engineers today must design defensively, under the assumption that their device will be placed in hostile environments.
This type of programming empowers designers to think critically throughout every stage of the product development process. Each decision about connectivity, integrations, data transfer, usability and software updates must undergo a threat profile. Engineers should ask how each design decision opens their device to risk or defends against potential threats.
Additionally, engineers must assume that the network your device will connect to will be comprised, and that there is someone out there who is actively trying to compromise your device.
How are you building redundancies and protocols into your device to protect against these threats?
How to Design Defensively
The challenge for many device manufacturers is that they are design experts, not cybersecurity experts.
Most companies don’t have the resources, bandwidth or time to add this talent to their design team. Complicating the issue is the reality that cyber threats to the medical community are growing in frequency and severity. This can be an overwhelming feeling for manufacturers.
It makes sense to partner with cybersecurity experts — those who are actively involved in monitoring and identifying threats and understanding how those threats are exploited.