Securing the Future of Medical Devices for Connected Health
As the number of connected medical devices increases, cybersecurity is an important part of their design.
September 27, 2024
Protecting healthcare data and patient identity has always been important, but the challenges of doing so increase with the advent and advancement of new medical technologies, including connected devices, as well as increasingly advanced technologies used by hackers to penetrate systems. While consumer data from any type of data breach holds value to hackers, health records are highly prized by criminals on the dark web, often fetching 40 to 50 times the value of financial data. In addition to financial information, these records also contain sensitive information such as genetic data, health conditions and biometric data – which cannot be changed or erased as you might do with a credit card or Social Security number. Once compromised, patients face lifelong consequences.
An important area of focus in healthcare cybersecurity is connected devices. In recent years we have seen more rapid development and adoption of Internet of Medical Things (loMTs), which was escalated by the pandemic when the need soared for remote patient care and monitoring. While we value the many benefits of these devices, a pressing security risk exists with connected devices transmitting data between the home and health facility.
The Consequences of a Security Breach
Because every aspect of the healthcare journey – devices, electronic health records, telehealth experiences, mobile health apps, and more – is vulnerable to being hacked, security remains the highest priority and concern in expanding the use of connected health.
Most connected devices enable remote monitoring of patient behaviors, therapeutic responses, and/or disease progression. Holding an immense amount of sensitive and highly valuable patient data, these devices are highly vulnerable to breaches from source (device) through to consumption (healthcare ecosystem). The data is highly valuable for application in clinical research and patient recruitment, accurate diagnosis, and contribution towards precision therapeutics.
But vulnerabilities aren’t just with the data journey; the device is just as vulnerable. Hackers have the ability to pinpoint a patient’s location or, worse, tamper with the device’s function causing a patient’s delayed treatment or inaccurate reading. In a connected device system all elements can be breached including the hospital network, reaching whatever endpoints they choose including a bed therapeutic device.
Proactive Measures to Prevent Breaches
As cyberattacks and data breaches persistently challenge technologists and manufacturers, understanding the relationship between security and safety becomes increasingly crucial. All manufacturers face the dreaded challenges of cybersecurity, but the liabilities and vulnerabilities are equitably distributed to all stakeholders in a healthcare system. Thus, everyone should be motivated to collaboratively mitigate the risks and, hopefully, someday completely prevent them.
At the present time, no one manufacturer or technologist can guarantee the 100% security of a connected medical device. However, the manufacturer can provide assurances that they are compliant with regulatory policies and available global technical standards that will mitigate the risk of vulnerability.
Standards to Enable Secure Connected Health
The U.S. Food & Drug Administration (FDA) now requires medical device manufacturers to provide cybersecurity information in their premarket device submissions. Additionally, on October 1, 2023, the FDA began exercising its authority to refuse submissions for cybersecurity reasons. In response to this new mandate, the IEEE Standards Association published a series of standards for diabetes-related wireless medical devices, designed to be extensible to all medical devices. IEEE SA also offers a Certification Program for Medical Device Manufacturers.
The recently published IEEE 2621™ Wireless Diabetes Device Security series of standards – adopted into the FDA’s catalog of standards in December 2022 – defines the framework for a connected electronic product security evaluation program, with specific requirements and guidance relating to digital diabetes devices and solutions (extensible for all medical devices). Developed by a multidiscplinary group of IEEE SA volunteers in an open, collaborative process in concert with the IEEE Engineering in Medicine and Biology Society (EMBS), the IEEE 2621 series addresses the uncertainities of data security and privacy of the 535 million global patients who are currently using or considering the use of one of these devices for monitoring and/or therapeutic delivery.
The IEEE 2621 series:
- Helps manufacturers to identify relevant threats, establish appropriate security objectives to counter them, and create security requirements that meet those objectives.
- Provides instructions for manufacturers on how to document the security of connected medical devices and their interoperable components so that they can be used safely with consumer mobile devices such as smartphones in the control of CDDs.
- Because of the increased attention paid to cybersecurity vulnerabilities by regulatory bodies, the development of cybersecurity standards and conformity assessment programs, such as the IEEE 2621 Conformity Assessment Program, may lead to a more consistent and robust approach to developing and supporting security in diabetes devices.
In addition to IEEE 2621, IEEE 2933-2024: Standard for Clinical Internet of Things (IoT) Data and Device Interoperability with TIPPSS (Trust, Identity, Privacy, Protection, Safety, Security) was just approved. The standard establishes a framework with TIPPSS principles for Clinical Internet of Things (IoT) data and device validation and interoperability, which includes wearables and connected medical devices with EHR (electronic health records) and other remote and in-facility medical devices. It establishes a trust and identity framework for the approximate 1.7bn IoT devices that support the global demand for bringing the hospital to the home for patient recovery. The TIPPSS architecture framework encompasses:
- Device development and manufacturing
- Design lifecycle and management
- Inter-device and cross-systems trust
- Interactions between environments
- Decentralized environments
- Device-to-human interaction (e.g., support technician, clinical operator, or patient)
- Embraces the Zero Trust Architecture approach
Finally, a new pre-standards incubation program, Zero Trust Cybersecurity for Health Technology Tools, Services, and Devices was introduced in June 2023. The program seeks to develop a roadmap to a suite of new zero-trust network access (ZTNA) standards which integrate commercial and open-source health technologies to showcase robust security features of Zero Trust Architecture (ZTA) when applied to enterprise healthcare IT use cases. This will include authentication and authorization of subject and device discrete functions, remote users, bring your own device (BYOD), and cloud-based assets that are not located within an enterprise-owned network boundary. Recommendations will be presented to validate and verify selected technologies (devices, platforms and systems) to modernize standard cybersecurity approaches in healthcare to mitigate hacking, secure data and any interruption of work.
Looking Forward
Connected medical devices play a pivotal role in the future digital healthcare system. As technologies continue to evolve, all ecosystem stakeholders will continue to face increased risk of cyber breaches diminishing trust in innovative technologies and the healthcare system and making patients’ privacy highly vulnerable in a sensitive environment. While there have been advancements in global standards, the quest for the solution to prevent cyberbreaches continues.
To learn more, please visit the IEEE Standards Association website to see our latest news, including standards development and releases, at standards.ieee.org and read our blog, Beyond Standards. I encourage readers to sign up for webinar notifications as well. You can also follow me on LinkedIn, where I frequently post news and events of interest. Lastly, we always welcome volunteers to join our efforts, including our Medical Device Cybersecurity Certification Program.
Maria Palombini leads the IEEE SA Healthcare & Life Sciences Global Practice working with a global community of multidiscplinary volunteers to achieve the mission of improve overall wellness with sustainable and equitable access to quality healthcare and nutrition by supporting and enabling innovation in an open and standardized means. Maria is the founder of DisruptiveRx, an information gateway addressing the critical need for pharmaceutical and life sciences executives to connect innovation with business strategy to re-think the process of the drug development and distribution value chain. She has extensive experience in building global media brands in multiple industry sectors. She holds a B.S. and B.A. from Rutgers College and an M.B.A. from Rutgers Graduate School of Business at Rutgers University.