In the last few years we have seen breakthroughs in the IT industry, innovations in medical devices, and software that has brought in a paradigm shift in the healthcare services sector. These technological advancements and healthcare IT solutions promise a brighter, healthier future for mankind. It has become inevitable that, today’s healthcare stays in pace with the current technological developments in the field. Today's hospital is already equipped with advanced gadgets and powerful digital technology and tomorrow will have a much more effective healthcare technology. These advancements provide doctors with crucial data points to take critical as well as effective decisions, which ultimately improve quality of treatment and overall experience of the patient.
However, “with great opportunity comes great risk”. The digitization of health information not only creates efficiency, but also is exposed to more people, in many places and on more devices. With proliferation of healthcare devices into the human body, these vulnerabilities can take you and me to task. The devices like pacemaker, X-ray equipment, picture archive and communications systems (PACS) and blood gas analyzers (BGA), medical devices are ripe for attacks from cybercriminals for profit. Hackers are honing their skills to get their hands on this valuable data. Apart from the devices mentioned above, there are many other devices that present targets for cybercriminals, for example, diagnostic equipment (PET scanners, CT scanners, MRI machines, etc.), therapeutic equipment (infusion pumps, medical lasers and LASIK surgical machines), and life support equipment (heart-lung machines, medical ventilators, extracorporeal membrane oxygenation machines and dialysis machines) and much more.
Cybersecurity has migrated from being “force majeure” to “raison d'être”, that too in a very short time. No industry using IT is untouched by it. Many healthcare providers are still grappling with ransomware attacks that took not only IT devices, but healthcare devices as well (e.g. the disruption to 'power injectors' in hospital from WannaCry in May 2017).
Different industries have taken their own measures to understand, analyze, and comply with the security measures as mandated by different cybersecurity regulations and standards as well as to market forces.
Medical device manufacturers have their own issues to grapple with, as far as cybersecurity is concerned. While they have regulations (FDA, EU, AU, MoH Malaysia) to contend with, market forces have also made sure that standards (ISO 14971:2007, ISO 13485:2003, ISO 10993-1:2009, IEC 62366-1:2015, IEC 60601) and best practices (OWASP Secure Medical Device Deployment Guide) are present to take advantage of. To their credit, medical device manufacturers have always tried to produce safe and secure medical devices in alignment with the market forces (i.e., competitions, time-to-market, regulations etc.).
As an independent third-party inspection and consulting company, TÜV Rheinland has always strived for contributing to the protection & sustainability of industry, by adhering to strict standards while performing inspections & consultations. As part of our consulting efforts, we try to educate our clients on the relevant knowledge, so that they can deploy these controls to their software development (SDLC) supply chain (aka shifting left in the application security parlance), minimizing their cost of closing security bugs and bringing down the total cost of ownership.
Ministry of Health of Malaysia organized the International Medical Device Conference 2017 on 8 -10 August 2017 and Mr. John Ramesh, Regional Business Field Manager of TÜV Rheinland was invited to present the latest development on cybersecurity risks on the medical devices. Also, the standard and regulatory landscape and appropriate framework to ensure proper security controls are deployed at every stage of the product life cycle.