Overcoming The Cybersecurity Challenges Facing Today’s Medical Device Industry 

In 2011, at the Black Hat USA security conference, Jay Radcliffe delivered a powerful presentation that made a lasting impact on the medical device industry. Radcliffe is a security researcher with type 1 diabetes. During his talk he demonstrated that he, or an attacker within a few feet, could remotely tamper with the insulin dosages administered by his insulin pump. This was possible because the device didn’t use any means of authentication or encryption.  

Later that year, at the Hacker Halted conference, researcher Barnaby Jack showed that he could take control of multiple insulin pumps within 300 feet and deliver a fatal dosage of insulin. Once again highlighting the vulnerabilities that exist in connected medical devices and the devastating outcomes that can occur if not properly protected.  

Of course, insulin pumps are not the only type of vulnerable medical device, security researchers have also demonstrated security weaknesses in pacemakers which could be used to send a lethal electric shock to a patient. In fact, in 2017, the FDA issued a recall for almost 500,000 implantable pacemakers. This was the first medical device recall based on concerns that a device could be hacked.   

The Vulnerability of Connected Medical Devices 

In the last decade, medical devices have evolved massively and transformed the entire healthcare industry. Devices which were traditionally standalone, are now being developed to sit on IT and wireless networks. This provides countless benefits for patients and healthcare providers but it comes at a price. During this technology transition, cybersecurity risks were not considered. This means that connected medical devices are not as secure as they need to be.  

This creates a real and present threat to patient lives. Given this, regulators have stepped up and set out mandatory requirements for manufacturers of connected devices. Manufacturers need to a) perform a cybersecurity assessment of all medical devices during the development phase and b) demonstrate continuous vulnerability monitoring of devices throughout the entire life cycle.  

These regulations have come into effect in the US, Australia, Canada and China. Europe has similar cybersecurity regulations which came into effect in May 2021.  

Cybersecurity Challenges Facing the Healthcare Industry 

The healthcare industry as a whole has always been a prominent target for cybercriminals worldwide. High-value patient data can be used maliciously to disrupt patient treatment routines, bring down uptime, and take control of devices remotely. This has repercussions on patients, doctors, hospitals, and everything associated with the healthcare ecosystem.  

Healthcare security breaches carry an enormous financial impact, accounting for a loss of $6 trillion in 2020. This issue is forecast to escalate to over $10.5 trillion annually by 2025 

All devices with embedded computer system software, or an internet connection are vulnerable to malicious attacks. With the rise of technology invention and evolution, cybersecurity challenges have become more demanding and complicated to eliminate. A report from Cynerio states that 53% of connected medical devices contain critical risks and more than half of those have a known critical vulnerability. 

Some of the top healthcare cybersecurity threats include (source):  

                      • Distributed Denial of Service (DDoS) attack: Where an attacker attempts to flood a website or network with internet traffic to disrupt performance and availability. Cybercriminals use bots to send an unmanageable number of requests to the server to bring it down. 
                      • Vulnerability of legacy systems: Tight budgets, upskilling costs, compliance guarantees, and complacency are reasons for not upgrading the IT infrastructure, creating a chance for back-door entry that most cyber attackers exploit regularly. 
                      • Data breaches: The average cost of the healthcare data breach was $9.44 million in 2022. 
                      • Ransomware and malware: Ransomware accounted for 304.7 million attacks in the first half of 2021, an increase of 151% since 2020. Cybercriminals cause these attacks through trojan viruses affecting computers or phishing mail when the users click on a link to download a particular attachment.  
                      • Insider threats: Threats from inside an organization can come from disgruntled employees for example. These types of attacks are called insider threats, which have increased by 47% in the last couple of years. 

This list of cyber threats, as well as an ever-evolving regulatory landscape, means that there are now three main cybersecurity challenges for medical device manufacturers. 

                      1. The need to ensure compliance with evolving regulatory requirements. 
                      2. Finding support when there is an overwhelming lack of cybersecurity expertise in the domain.
                      3. The need to minimize the probability of malicious attacks to medical devices.

SelectEvidence™ from Nova Leah 

SelectEvidence™ from Nova Leah was created to help medical device manufacturers to overcome these challenges. SelectEvidence™ is an expert cybersecurity risk assessment platform that guides medical device manufacturers through the process of identifying applicable vulnerabilities and highlighting the appropriate security controls to mitigate those risks. It provides manufacturers with an intelligent, automated, and traceable approach to cybersecurity assessments. 

SelectEvidence™ does this by continuously monitoring SBOMs across all connected medical devices. Proprietary algorithms within SelectEvidence™ inform accelerated analysis that greatly reduces the time needed to perform risk management. The platform continuously monitors and scans hundreds of thousands of vulnerabilities in real-time, harnessing 24/7 automation. For each vulnerability identified, specific and actionable suggested mitigations are provided. The simple ingestion of SBOMs makes this automated risk management process possible.  

SelectEvidence™ is linked to industry standards and leverages key repositories for controls threats, vulnerabilities, and mitigating controls. The processes within SelectEvidence™ are referenced in FDA and EU cybersecurity pre-market and post-market guidance expectations. With enterprise level reporting tools, executives have live data showcasing the cybersecurity posture of their entire product portfolio, enhancing organizational transparency. 

Discover how SelectEvidence™ can transform your risk management processes. Talk to us today and sign up for a free trial.  

Book your demo here 

Photo Credit:
Photos by Annie Spratt on Unsplash
Photo by National Cancer Institute on Unsplash