Let's talk about your project today

The Insecurity of Things: Why you are your own worst enemy

If we have learned one thing about security in the age of smart, connected devices it is that no one is immune to data breaches. In 2015, three of the top seven largest data breaches on record were healthcare related, with the Anthem breach taking the top spot overall, affecting nearly 80 million people and costing an estimated $37 billion.

Cybercriminals are increasingly targeting medical device and healthcare companies for access to lucrative personal data including social security numbers, birthdates, email addresses and medical record numbers. But data breaches and cyberattacks are more than just a security problem. A data breach can have long-term and detrimental effects to your business in terms of shareholder confidence and corporate reputation.

Now that some major players in the market have come forward as victims of cyberattacks other organizations need to take a close look at their own security practices and networks to mitigate security risks where they can.


Why are medical device OEMs susceptible to cyberattacks?

Many healthcare organizations rely on legacy systems and have not invested in security at the same rate as the growing threats they face. To complicate matters more, the rise of the digital technology means devices aren’t just connected to the Internet, they are often connected right to the healthcare provider’s network, establishing easy access to data that seems sufficiently protected. When vulnerabilities are exposed in medical devices or their networks, both of these can be breached.

There are three basic ways hackers can gain access:

  1. Malware: Malware can infect a healthcare provider’s network using the medical device as the point of entry. Once a network or system is breached and infected, it is easy for the hacker to take what they want for as long as they want until the hole is plugged. In 60% of data breaches, data is stolen within hours, but 54% of breaches are not discovered for months.
  2. Software Updates: If your users are not updating their software with the latest version they could be missing necessary patches or fixes leaving their device and network vulnerable.
  3. Lack of Basic Safeguards: Some devices from the start do not include strong access controls or authentication processes. This allows hackers to easily gain unauthorized access into these devices or networks.


What you can do about it?

Medical device OEMs already have to comply with regulatory bodies on protecting patient privacy, including HIPAA. But, while HIPAA requires security to be addressed, it doesn’t tell you what to safeguards to implement specifically. In today’s competitive medical device landscape, where barring digital technologies is not an option, medical device OEMs need to understand their device’s vulnerabilities and take the necessary steps to mitigate their security risks.


Security by design: Your corporate firewall is no longer enough

Integrating security into product design is not an easy task –but a necessary one. There is no one-size-fits-all solution so it is essential that security is looked at holistically from the start to ensure the device, as well as all devices and applications it interfaces with, are built securely by default. Best practices include:

  • Leverage secure boot, authentication, encryption and anti-tamper technology in product design
  • Use protocols and embedded firewalls for secure communication
  • Enable device visibility based on remote command audits and event reporting
  • Utilize remote policy management and integrated security management systems
  • Develop policy-based filtering to provide a critical missing layer of security for medical devices
  • Consider limiting the number of device interfaces
  • Deploy mechanisms that require physical proximity to authorize critical functions


Risk and remediation: Defining parameters to make a plan

Remember back in 2008 when researchers proved they could subvert a pacemaker to give life-threatening shocks to its owner? How about in 2013 when cybersecurity expert Billy Rios remotely hacked into a Hospira infusion pump to prove he could remotely administer a lethal dose of drugs? In both of these cases, the essential function and safety of the device was compromised.

In January of this year, the FDA released a draft guidance of important steps in addressing cybersecurity. In the document, the FDA recommends clearly defining essential clinical performance to develop a plan to protect, respond and recover from all cybersecurity risks. In other words, medical device OEMs need to understand the requirements and risk in achieving device safety at all times. This will allow you to identify your biggest security risks and create a remediation plan prior to launch so you can act quickly should a breach occur.


Lifecycle Risk Management

Because cybersecurity risks to medical devices are continually evolving, it is not possible to completely mitigate all risks in the design and development of the device alone.

Updating operating systems regularly is an important part of your ongoing security strategy. Hackers target vulnerabilities in operating systems and regularly installing updates helps close those holes and protect your data. We recommend developing a policy of notifying users of important software and security updates and enforcing update requirements as necessary.


Security is an ongoing concern with anyone leveraging digital technology but especially for the medical device industry. Every additional device or connection opens up another possible point of entry for real users and also for those with malicious intent. In the race to market with new devices, security is often an afterthought, turning you into your own worst enemy. To be successful and reduce the chances of a potential breach, medical device OEMs need to identify their security risk, balance that risk with device functionality and create a plan for complete security lifecycle management.


Contact Logic PD and get started today.

We help deliver innovative solutions that conquer today’s complex and connected product challenges and optimize your market potential.