The Changing Landscape of Medical Device Cybersecurity
When people think of Medical device cybersecurity they most often think about privacy, the protection of patient data and HIPAA compliance. While this remains the focus of many in the industry, cybersecurity professionals are increasingly concerned about the potential impact of security on patient health and safety.
Rapid advances in computer science, engineering and electronics have led to a new generation of connected medical devices that permit access to real-time patient data and the opportunity to monitor and adjust treatment remotely. These advances offer benefits to patients and caregivers alike in an environment where limited resources must be balanced with the need for greater and more dispersed care. But with connectivity and increased capabilities comes increased risk. Vulnerabilities in network-connected and remotely accessible devices like insulin pumps or cardiac pacemakers have the potential to cause real physical harm.
The challenge for manufacturers, healthcare providers and regulatory agencies alike, is to anticipate, identify and prevent security incidents when possible, and to manage breaches when they occur, protecting patient data AND patient safety. Increasingly, manufacturers understand the importance of “Security by Design” and of integrating project and product-level risk assessment with enterprise-level risk management processes. The regulators are also driving for increased security of medical devices, both for newly designed devices and legacy devices already deployed.
With the continued growth in new products and the expansion of the Internet of Medical Things, the threat landscape for network-connected medical devices is increasing exponentially. Cybersecurity breaches, once associated primarily with financial services, retail products and similar services, are now commonplace in critical infrastructure (e.g SolarWinds federal data hack to ransomware attacks on the domestic Colonial oil pipeline) and healthcare continues to be a primary target. This is the environment in which the benefits of network-connected medical devices must operate. In 2019 the FDA issued a safety communication warning patients and caregivers about vulnerabilities in the wireless communication between implantable defibrillators and their external monitoring devices, and more security guidance is expected as a result of the increased ransomware and other healthcare-focused cyber-attacks during the pandemic.
Addressing this increasingly critical issue will require a holistic approach that includes inputs from device manufacturers, healthcare providers, and regulators. Solutions to the problem should include a coordinated understanding of the complex medical device environment as well as improved security requirements for devices new and old. An example of the push for increased understanding of medical device security risk is the requirement for a software bill of materials in Executive Order 14028, which is supported by the FDA, which can substantially increase the ability to identify security vulnerabilities in medical devices.
As a result of this growing issue, the University of Minnesota’s new Center for Medical Device Cybersecurity (CMDC) was formed. It has grown out of relationships between the university and the medical device industry. The CDMC seeks to collaborate with industry partners to address current AND future challenges facing the medical device industry as well as the healthcare industry it serves. Workforce development is an essential part of the CMDC’s mission. Through seminars, roundtables, a hackathon, educational courses and workshops, the CMDC is engaging undergraduate and graduate students in the College of Science and Engineering showing them how their knowledge and skills can be applied to research, development, and innovation in this important and rapidly growing field. The CMDC benefits from connections with top U of M researchers in computer science, electrical and computer engineering, biomedical and mechanical engineering as well as from thought leaders with expertise in product development, innovation and entrepreneurship. The University of Minnesota and CMDC are well-positioned to collaborate with other academic institutions and Centers, like the University of Michigan’s Archimedes Center for Healthcare & Medical Device Cybersecurity to build a pipeline of talent and to encourage research collaborations across the country.
Throughout the 20th century, industry-university partnerships have been critical to overcoming the great challenges we have faced. Such partnerships remain an effective model. To that end, the Center for Medical Device Cybersecurity is uniting academic researchers with deep technical knowledge and research capabilities and industry professionals with complementary knowledge and experience to help address the most profound cybersecurity challenges we face.
About the authors:
Dan Mooradian and Michael Johnson were both Honeywell/James J. Renier chairs in Technology Management at the Technological Leadership Institute at the University of Minnesota (TLI).
Mooradian was the Director of Graduate Studies for TLI’s M.S. in Medical Device Innovation program, former VP of R&D at Synovis Life Technologies and former Director of the Research & Technology Center at Boston Scientific Corporation.
Johnson was the Director of Graduate Studies for the M.S. in Security Technologies program and former CISO and Operations Risk Director at Bremer Bank.