The “Top health industry issues for 2018” by PWC identified cybersecurity as a critical issue. The report stated that in 2017, there was whopping 525% increase in medical device cybersecurity vulnerabilities reported by the US government. The generic ransomware attacks like WannaCry on hospital networks and specialized orchestrated exploitations of active implantables have made the issue mainstream. It will only continue to snowball as medical devices start to extend beyond traditional healthcare settings, spilling into personal health care and overlapping with mobile applications. Historically, medical devices have been designed for isolated environments and hence were lax on security. But under an increasingly digitized world, these vulnerabilities have started to pose severe questions on where the ultimate liability of cyber-attacks lies.
The cybersecurity challenge needs to be tackled from two angles. They are:
- Technology – Does the technology exist to prevent vulnerabilities without increasing cost and performance? If so, where has technology adoption reached and what is the incentive to drive adoption?
- Regulatory – Is there an actionable authority mandating security across all geographies and have the legal boundaries been mapped?
Luckily, the technologies and solutions do exist to tackle these challenges. However, the regulatory needs are inadequate to push adoption of these. FDA’s pre-market guidelines (2013) that prevent non-compliant devices from being sold in the US is one good example of such a good regulation. Recently the Medicines and Healthcare products Regulatory Agency (MHRA) in the UK issued updated guidance to assess health applications for safety compliance. Clearly, more needs to be done to push manufacturers to upgrade security from “an optional patch” status to being a foundational part of their solution.
Being nascent and relatively less regulated, one would typically expect personal healthcare industry to pose a bigger problem but thanks to Continua Health Alliance, we see credible efforts to build systems that can deliver secure personal healthcare. Recently, they published the Continua Design Guidelines-2008-2017 (CDG) as the only secure end-to-end ICT framework for personal connected healthcare using open standards to create a secure data exchange mechanism. Apart from addressing interoperability challenges, there is adequate thrust on security; being called out at each actor, interface and technology levels.
At device interface level, recommendations for each technology (USB, NFC, Zigbee, BLE) – from physical action of the user touching the intended two devices to security mechanisms such as Passkey Entry Pairing, association models, key generation and encryption have been laid out. At services Interface level, end-to-end security and privacy have been modeled on ISO 27000 and SAML, and OAuth authentications have been recommended for different situations. At enterprise systems level, appropriate cross-enterprise IHE profiles such as XDS/XDM//XDR, Identity management (PIX), Entity authentication (XUA), Auditing (ATNA) have been recommended. Finally, under Continua Certification program, conformance testing using H.820-H.850 series, PlugFests and Connect-a-thons ensure compliance and industry alignment. Thus, one finds the concept of security pervasive throughout continua’s recommendations.
To conclude, with Continua’s latest directives, technology and solutions have finally caught up to ensure that the security dimension is central to personal connected healthcare. The larger issue, however, is to incentivize faster adoptions of these robust security practices from concept-to-design-to-implementation for all future generations of devices in the market. Steps should also be taken to identify, isolate and ‘patch’ or phase out old medical devices already in the market for security holes.