Security is like the brakes in your car. It slows you down, but it also makes it possible for you to go a lot faster. (Gary Hinson)
On the Chaos Communication Congress in December 2015 in Hamburg, Germany, there was a talk about medical devices with new functions like a Bluetooth connection by a pacemaker to connect them to smartphones or a gateway for telemedicine. But with each connection to the outside world, a device becomes vulnerable which must be secured in a way that this connection cannot be used to harm patients. Last year the FDA pronounced a recall of medical devices related to cybersecurity issues for the first time in the history of the authority. This recall was related to an infusion pump which was hacked via an Ethernet port and a laptop, because no safeguards were implemented for this maintenance interface. The FDA can recall products now related to cybersecurity concerns not just due to fatality concerns.
But is it new that medical devices can be hacked?
Not really, a New York Times article described a successful cyberattack on a pacemaker carried out under laboratory circumstances already in 2008. Back then it was very expensive and complex, but with today’s computer power, it will be much easier.
Not only implants should be secured by IT security methods. Prostheses which are connected to a smartphone via Bluetooth or Wi-Fi must also be secured. A hacker can control the functions of the prostheses in terms of movement. Wearables and smartphones can have an influence on a patient’s life, if, for example, a smartwatch is used to measure the blood pressure of an individual which then recommends the user to take a pill against high blood pressure. This could spell disaster if the device would malfunction. In addition, the interface design can have an impact on patient safety if, for instance, the interface is so complex that even a healthcare professional cannot use the device in a proper way due to lack of expertise in the diagnostics of the device.
If implants, prostheses or other medical devices are used, there are some security issues. For example, transmitted data can be potentially manipulated or stolen and transferred to another location or party. If patient data is stored in the cloud, you must think about IT security for digital health solutions. Or do you want to outsource patient safety to the cloud?
How to solve the security issues for digital health?
The most important 13 rules to mitigate the security issues for digital health solutions:
1. Think about each function you want to implement and whether it is really necessary.
2. Use secure programming techniques, e.g.: validate input, keep it simple, use effective quality assurance techniques
3. Integrate security controls into your solutions like user authentication or blocking after a number of failed login attempts.
4. Only activate functions for emergency devices like pacemakers which are really required for device operation.
5. Do not use hard-coded credentials (e.g.: admin user name and password) and let the user change the password.
6. Test your solutions vigorously in clinical studies to figure out software bugs or other issues. Clinical trials are expensive, but they can help you to minimize late impact on your reputation due to malfunction of digital health solutions.
7. Think of possible threats to your solution and implement effective safeguards to block them.
8. Train doctors and staff on how to use and maintain your solution to ensure product quality and patient safety.
9. Keep the different lifecycles of software and medical devices in mind (3 years against 10-20 years).
10. Think about open hardware to ensure that patching can be done even after a couple of decades.
11. If your solution meets the definition of a medical device, follow the applicable GxP principles.
12. Validate your medical device to show that it is fit for its suggested purpose.
Additionally for policy makers:
13. Consider whether vendors and doctors should inform patient if and when they will update/upgrade to a digital health solution.
If you want to know more about IT security strategy and governance for digital health or need help do not hesitate to contact us at KVALITO Consulting Group. Our qualified employees can help you to implement an IT security framework and related controls for your digital heath solutions to ensure effective and efficient patient safety, data integrity, and product quality.
Author: Florian Schnettelker