Attempting to address the cybersecurity of medical devices is undoubtedly a daunting task. Without exception, the medical industry has continued to evolve at an unprecedented pace in recent years. It is almost a daily occurrence to read in the news about a new scientific breakthrough or the introduction of new technologies that can improve the quality of healthcare.
As a result of increasing demands imposed on accuracy and rapid availability of medical information, the reliance upon information technology (IT) components in medical devices is ever increasing with no end in sight.
Furthermore, it is quite common these days to speak of medical technology and, more specifically, medical devices requiring some form of integration with other sources of information, most of which interface with other systems. If the end goal is to attain a complete medical record that can effectively paint the big picture, it would seem that integrating medical devices is the only way to see this goal become reality.
Accuracy and Efficiency Versus Information Security
If we consider the fact that the medical manufacturing community and the medical industry, in particular, is constantly striving to achieve higher efficiency, it would seem that not much consideration has been given to protecting the information these devices process and that the focus has always been on accuracy and efficiency, not information security.
The process by which risk is measured applies to almost everything these days. The same model is used to assess systems ranging from complex architectures spanning entire enterprises to the most simple of endpoint devices. The same holds true for every medical system and device in our environment regardless of level of complexity. The process is well-defined; however, the same rules that traditional IT systems must abide by cannot easily be applied to medical devices.
At first glance, it would seem logical to apply the latest and greatest software update on a given system. The advantages are obvious.
Application code flaws are being discovered at an alarming rate, and operating system and database developers are correcting these as soon as they are discovered in order to avoid exploitation by cybercriminals. It is effectively a race against time in which the end goal is to make sure that weaknesses in the code are rapidly corrected before they are discovered.
If a given vulnerability were to affect a desktop computer, for example, taking immediate action to remediate it would not only be the responsible thing to do by protecting the affected computer, but to a larger extent to decrease the overall risk for the entire network by preventing the use of the same desktop computer as a conduit aimed at deliberately compromising other systems that perhaps contain more valuable information.
Since the application of security updates appears to be a straightforward process, what is the risk should the process fail?
In the case of the traditional general purpose desktop computer, a failed installation of a software update, aside from a possibly unexpected reboot, will require a call to the local IT department, which may incur minimal downtime before the issue is corrected, or perhaps a loaner computer can be issued in the interim so as to minimize downtime.
What about a similar scenario, only this time affecting a medical device? The consequences may range from a brief disruption in healthcare services to far more serious cases in which patient safety is directly compromised, perhaps resulting in misdiagnosis or worse yet, possible loss of life as a result — or a complete medical device malfunction during an invasive procedure.
In this case, “normal” IT practices cannot be applied. For example, there are not typically any loaner medical devices to give the healthcare provider if a device is disabled as a result of a failed update.
Federal law states that if a patient is grievously harmed during the routine use of a medical device, the device manufacturer is held responsible.
Conversely, if non-validated changes are made to the medical device, even a simple operating system update, after which a patient is harmed, the organization that altered the medical device is held responsible. The only individuals trained and authorized to repair or install validated updates, patches or other configuration changes are Biomedical Equipment Technicians (BMETs).
Despite the nuances of medical technology, all systems utilizing IT components are required to adhere to Department of Defense cybersecurity requirements. In light of this, and recognizing the risk that commercial-off-the-shelf (COTS) medical technologies present to our network, Naval Medical Logistics Command is actively working with medical device manufacturers to comply with DoD policies to the extent practicable.
Information Security is at the Forefront of Everything We Do
An effective approach in ensuring that medical devices present an acceptable initial security baseline is to address the issue of cybersecurity directly at the source — in design and engineering. Although this may seem somewhat radical, the idea behind conveying such a message in the form of a technical requirement during the initial stages of the procurement process is useful. It states, in technical terms, exactly what is required to operate in an environment where cybersecurity plays a crucial role. It also dispels claims and assumptions regarding cybersecurity compliance.
The requirement to provide such a level of technical detail in the selection process undoubtedly produced a ripple effect in our medical vendor community. Essentially, we as a customer are willing to tell the manufacturer that information security is at the forefront of everything we do, therefore it is to be taken seriously.
Our challenge lies in the fact that we as customers have the responsibility of protecting our medical information on systems normally developed for the commercial space and yet achieve a level of compliance which most of them were not designed for.
Not all vulnerabilities are the result of newly discovered weaknesses that we read about in the press. Sometimes, it’s the result of a major cybersecurity incident. Studies have revealed that perhaps many of these incidents could have been prevented if the customer had complete knowledge of the true information security baseline when the system was evaluated for selection in the procurement process.
So, is it safe to say that there is hope that someday a medical device will present a zero-risk picture?
I would like to believe that as cybersecurity incidents continue to remind us of what can go wrong if information security is not in the forefront of the lifecycle of medical devices, it is our responsibility as consumers of this technology to collaborate with manufacturers by making sure cybersecurity policies and procedures are adhered to.
To this end, the Navy Picture Archiving and Communication System office developed the Medical Device Risk Assessment (MDRA) to not only assess the security baseline of a medical device under consideration for procurement, but also in a much broader sense, to clearly convey our message to the medical device industry that in our environment cybersecurity is not only important, but also necessary — and like it or not — it is here to stay.
We understood the repercussions of establishing such a requirement as perceived by the medical device manufacturing community and vendors.
The Navy now requires a complete, lengthy, very technical questionnaire in which medical devices are literality placed under a microscope and every aspect of their design and engineering is scrutinized. Perhaps so, but, isn’t that exactly the information we are entitled to obtain before making a well-informed decision to buy?
By way of a simple analogy: if consumers choose to buy products that are inherently risky, such as the case of a previously owned vehicle, wouldn’t it be beneficial to the buyer to have the complete picture that accurately documents each and every flaw and defect that has been corrected before assuming the risk of driving such a vehicle, for example, by obtaining a CARFAX report?
In that regard, medical technology is not much different. Although the procurement of previously owned products does not apply to this discussion, the use of an effective tool specifically designed to accurately quantify risk is the first step towards understanding risk management.
I would ask, what good is it to the Navy, when the latest and greatest medical device technology that offers all the “bells and whistles” can also, sometimes with minimal effort or skill, become an easy target of cybercriminals using information readily available on the public Internet?
Yes, cybersecurity is challenging, but asking all the right questions upfront, not only gives us a clear picture of the level of risk inherent in a medical device, but also consequently helps us avoid “last minute surprises.”
The good news is that since its introduction back in late 2012, the Medical Device Risk Assessment has started to gain acceptance by the medical device manufacturing community. Although technical in nature, the MDRA helps medical manufacturers bring cybersecurity into the engineering process when considering operating a medical device in our environment.
Since its introduction, the MDRA has undergone a few revisions consistent with advances in Department of the Navy policies, information technology and the cybersecurity requirements associated with these new technologies, for example, the use of stronger encryption cipher algorithms.
To date, we have collected hundreds of these questionnaires. Each has been reviewed and cataloged for future reference. The information they contain becomes For Official Use Only (FOUO) once completed.
Although initially conceived as a procurement tool, the MDRA has evolved into an effective means of quantifying the risk introduced by medical devices. As such, it plays a key role in the selection of medical devices for the procurement process.
The MDRA, currently at version 2.0 can be downloaded from the
Naval Medical Logistics Command public-facing webpage located at: http://www.med.navy.mil/sites/nmlc/Pages/default.aspx.
This article first appeared in the NMLC publication: Logistically Speaking.
Walter J. Sandman is an Information Specialist at Naval Medical
Logistics Command (NMLC). The NMLC Program Management Office (PMO) is responsible for the acquisition of medical device information technology for Naval Medical Treatment Facilities. One of Mr. Sandman’s primary responsibilities is to ensure that medical devices governed by the Food and Drug Administration (FDA) comply with DoD and DON cybersecurity requirements.