Networked medical devices open to attack
Despite the many potential rewards of networked healthcare, the risks are very real – and potentially catastrophic – when it comes to wearable and implantable medical devices, a new report shows.
The study, prepared by the Atlantic Council's Cyber Statecraft Initiative at the Brent Scowcroft Center on International Security in partnership with Intel Security, is titled "The Healthcare Internet of Things: Rewards and Risks."
[See also: Threat matrix: Malware and hacking pose dangers to medical devices ]
It offers an thorough accounting of the benefits of these new devices, while also offering a stark assessment of their vulunerabilities – and a series of recommendations for developers, regulators and clinicians aimed to help "maximize value to patients while minimizing security risks arising from software, firmware and communication technology."
[See also: Safety demands better device integration]
"Medical devices face the same technological vulnerabilities as any other networked technology," write the report's authors, Jason Healey, Neal Pollard and Beau Woods. "Hacktivists, thieves, spies, and even terrorists seek to exploit vulnerabilities in information technologies to commit crimes and cause havoc."
Worse, "when a networked device is literally plugged into a person, the consequences of cybercrime committed via that device might be particularly personal and threatening."
While most medical device development and production is still predicated on manufacturers’ preferences and patients' needs, the Atlantic Council report makes the case that industry and government should be embracing an "overarching set of security standards or best practices" to address the serious risks inherent in networked devices. The authors offer four suggestions:
- Stress security at the outset, rather than as an afterthought. "Medical device manufacturers must adopt a 'secure-by-design' approach to research and development," they write. "In the past, security has always been an afterthought. Because of that approach, security experts have had to deal with the reckless shortcuts developers have taken to try to cram security in after the fact. Adding security features to products after their initial rollout is a losing battle. It is simply too costly and ineffective to try to secure systems already in the possession of the end user."
- Improve private-private and public-private collaboration. Rather than simply more regulation, "more coordination is crucial," according to the report. "In any government agency struggling to deal with rapid changes in technology, regulators are not always as agile as they would like to be. To respond effectively, regulators require feedback from everyone involved through transparent collaborative forums, which ensure the regulator's independent function without concerns of collusion with the industry. Improving security almost certainly requires a safe place to talk about these issues, provide clarity on regulatory interpretation, reach agreement on how regulators can enable innovation and effectiveness, and serve as a safeguard of the public interest."
- Move toward evolutionary change of the regulatory approval paradigm for medical devices. Existing regulatory frameworks "must do more to encourage innovation, while still meeting regulatory policy goals and protecting the public interest," write Healey, Pollard and Woods. "(S)ome manufacturers push old technologies and stifle innovation because they know the old technology will obtain regulatory approval. As mentioned earlier, this can discourage manufacturers from innovating, which can actually result in decreased network security."
- Introduce an independent voice for the public in cybersecurity discussions. "In most countries, governments and private companies do not adequately represent the public's interest in medical issues. This applies specifically to striking a balance among effectiveness, usability and security when the device is implemented and operated." In the U.S., they point out, "regulators have already recognized the value of public input, especially from patients. Within the United States, guidance in 2012 from the FDA's Center for Devices and Radiological Health emphasized 'patient tolerance for risk and perspective on benefit.' The FDA can embrace this approach further, applying it industry-wide and offering specific guidance on how feedback from patients, or the broader public, should be collected and presented into the regulatory process."
As new networked devices "literally embed the Internet into people’s lives," the report concludes, they can help improve medical outcomes and lowering healthcare costs. But they can also introduce serious security flaws
Nonetheless, those risks can be "managed and even reduced" by embracing the steps outlined in the study, the authors write.
Read the whole report here.