Medical device makers take on cybersecurity challenges
For 25 years, hackers and computer experts from around the world have gathered annually at the Def Con Conference in Las Vegas. At the 2017 edition, security experts successfully compromised a variety of medical products, such as insulin pumps, glucose monitors and pacemakers. The demonstration served to reveal the potentially disastrous vulnerabilities present in too many of these crucial, life-saving devices.
The firms creating the next generation of medical products are producing advances in human factors engineering and capturing a unique visual brand language. At the same time, they must be conscious of the dangers that go along with connected devices. Manufacturers, researchers and regulators are confronting the threat of hacking as part of the product development process, and these efforts could make the difference in protecting patients and healthcare facilities.
Why hackers target medical devices
"Vulnerability to hackers is a pressing issue."
Makers of innovative medical products know that vulnerability to hackers is one of the most pressing issues in the industry. The WannaCry ransomware attack, which infected parts of the U.K.'s National Health Service along with many other organizations, thoroughly demonstrated the dangers of insufficient cybersecurity. The incident made manufacturers, regulatory agencies and the general public more alert than ever to the possibility of unauthorized individuals gaining access to private records and control over devices.
Medical products with features like wireless connectivity, remote monitoring and near-field communication offer tremendous advantages for gathering vital information and making adjustments as necessary. However, as Wired explained, those connections also provide access points for hackers. The problem is exacerbated by the thousands of devices used on a daily basis in hospital systems and the fact that many run outdated operating systems that don't receive new security updates.
As the hackers at Def Con showed, one way to confront the problem of cybersecurity is by locating weaknesses before hackers do. In 2016, some manufacturers learned of problems in their products only after they were on the market, like when the U.S. Food and Drug Administration issued an advisory for hospitals not to use infusion pumps because the dosage could be adjusted by attackers, or when Johnson & Johnson warned it was possible to gain unauthorized access to one of its insulin pumps. Consequently, medical device makers are taking a proactive stance and gathering as much information as they can about cyberattacks.
With encouragement from the FDA, these organizations are gaining fresh perspectives by sending representatives to events like Def Con, where they can learn first-hand from the white-hat hackers committed to finding security holes. According to to Financial Times, Colin Morgan, director of product security at Johnson & Johnson, spoke at the conference. He discussed the importance of incorporating enhanced security as a routine part of new product design and development.
"Healthcare is constantly evolving," Morgan said. "We are seeing more and more technology, which means more risk from a security standpoint, so it is important to have it as an integral part of our focus on product safety."
New initiatives to strengthen cybersecurity
A variety of organizations are actively working to provide makers of medical products with the best strategies to address hacking concerns. By exchanging information with device manufacturers, security experts are becoming highly aware of where the greatest dangers lie, helping to establish how to guard against them. The FDA has issued guidance to make clear the severity of the threat and lay out the methods firms should use to test connected devices thoroughly.
The Medical Device Innovation, Safety and Security Consortium, a multinational collaboration between organizations involved in promoting cybersecurity, is launching a network of facilities to pursue improvements that can be applied across the industry. At the World Health Information Security Testing Labs, devices will go through batteries of evaluations to simulate the rigor and complexity of real-world conditions, leading to improved results when new products go to market. According to a press release from MDISS, plans include facilities in New York, Indiana, Tennessee, California, the U.K., Israel, Finland and Singapore.
As medical product firms continue to produce new connected devices, they are also becoming more attuned to the threats that go along with these advances. Fortunately, partnerships between manufacturers, experts and regulators are revealing how to press forward with exciting advances while preventing unauthorized tampering. This shift will enable continued strides forward in the medical device design process.