The most effective solution for cybersecurity issues in medical devices

Listen on the go!

Amidst the growing healthcare connectivity with widespread adoption of medical IoT devices and Software as a Medical Device (SaMD), cyberattacks and patient privacy concerns are also on a rise. 

During the pandemic, the healthcare industry has taken some immediate and urgent measures to address the lack of sufficient resources and hastily adopted telehealth and other digital solutions for offering patient care. 

Remote medical devices and Software as a Medical Device have proven to be a boon as healthcare institutions were struggling with a severe lack of equipment as well as professionals. 

However, as more and more patients adopt smart medical devices as pacemakers, insulin pumps, cardiac implants, or other vital monitoring systems, they are also being exposed to potential cyberattacks. 

Axel Wirth, Chief Security Strategist at MedCrypt said in an interview with MedTech Intelligence, “Security is not purely a technical or engineering issue. Cybersecurity has to become a business objective. An organization must realize strategically how important cybersecurity is and that they need to build a culture of security into development processes from the concept of a new device to it being transferred into manufacturing and eventually shipped to a customer. That entire lifecycle of the device needs to embrace security. It’s a technical topic but it’s not just a technical problem—it’s a business challenge that needs to be looked at as a business problem. 

The cybersecurity threat on medical devices is real and here, demanding immediate attention from those concerned. Let us understand how the cybersecurity issues can be solved effectively with medical devices testing and security testing. 

The state of medical devices cybersecurity 

Earlier this year, the U.S. Food and Drug Administration informed patients, providers, and manufacturers about potential cybersecurity vulnerabilities in certain medical devices using Bluetooth Low Energy.  

Known as ‘SweynTooth’, the vulnerabilities upon exploitation may allow an unauthorized user to wirelessly crash the device, stop it from working, or access device functions normally only available to the authorized user. 

Suzanne Schwartz, deputy director of the Office of Strategic Partnerships and Technology Innovation in the FDA’s Center for Devices and Radiological Health commented – 

Medical devices are becoming increasingly connected, and connected devices have inherent risks, which make them vulnerable to security breaches. These breaches potentially impact the safety and effectiveness of the device and, if not remedied, may lead to patient harmThe FDA recommends that medical device manufacturers stay alert for cybersecurity vulnerabilities and proactively address them by participating in coordinated disclosure of vulnerabilities as well as providing mitigation strategies. An essential part of the FDA’s strategy is working with manufacturers, health care delivery organizations, security researchers, other government agencies and patients to address cybersecurity concerns that affect medical devices in order to keep patients safe.” 

Have a look at these alarming statistics pertaining to medical devices security status: 

  • Medical devices have an average of 6.2 vulnerabilities each; 60 percent of medical devices are at end-of-life stage, with no patches or upgrades available. 
  • More than 93 percent of healthcare organizations have experienced a data breach over the past three years, and 57 percent have had more than five data breaches during the same timeframe. 
  • Ransomware attacks on healthcare organizations are predicted to quadruple between 2017 and 2020, and will grow to 5X by 2021. 

Security testing and cybersecurity assessment for medical devices 

As part of the medical devices security best practices, every stakeholder involved in the manufacturing, distribution, and usage has a responsibility toward ensuring that the device is safe. 

FDA has issued a few tips for patients and caregivers as they play a critical role in safeguarding the medical devices: 

  • Technology evolves over time, so software will need to be updated. Recognize the value of applying those updates and talk with your health care provider if you have any questions about them. 
  • Register your device with the manufacturer. It is an extra step, but it may help the manufacturer reach you more quickly to send you important information. 
  • Be observant and vigilant. If you think your device is not functioning as it should, do not ignore it. Discuss it with your health care provider. Notify the device manufacturer and report it to the FDA’s MedWatch. 
  • Involve your family or caregivers. Educate them about your device or enlist their help if you are not tech savvy. 
  • If there is a serious event, seek medical attention. 

As cybersecurity vulnerabilities may creep up at any point in time of the device’s usage, it is essential that everyone diligently follows the security guidelines and best practices. 

However, when we talk about the most effective solution for addressing the cybersecurity challenges in medical devices, doing just this much is not enough. 

To ascertain that a medical device is completely secure and is at minimal risk of exposure to malicious hackers, they need to have security and privacy built into their design. 

Security testing, software penetration testing, and thorough vulnerability assessment should be conducted right from the beginning of the design and manufacturing process and should continue with every update and change in the medical device software. 

If we look at the past cyberattacks, most of the incidents happened due to negligence at some or the other level. Either the devices were operating on legacy infrastructure, or they were long pending for an update, or the vulnerabilities were being ignored. 

Having an end-to-end security testing strategy devised and implemented for medical devices has become the need of the hour. 

How can we help 

Cigniti is an ISO13485:2016 Certified Organization & the chosen Software Testing services partner for large Medical Device manufacturers and users. We help you address challenges in Medical device software testing and also in implementing guidelines & best practices in software testing lifecycle of these devices. 

Cigniti’s Security Testing and web application penetration testing uncovers vulnerabilities in applications, ensures your application risks are minimized, and benchmarks your software code for increased quality assurance. Cigniti’s Security TCoE consists of dedicated teams of security testing specialists with deep expertise spanning multiple industries, cutting-edge technological resources, and tools. 

Schedule a discussion with us today.