Medical Device Cyber Conference Calls for Improved Online Safeguards

The University of Minnesota’s Center for Medical Device Cybersecurity (CMDC) hosted a conference on April 11 with a call to improve and standardize cybersecurity for medical devices and the systems in which they operate. 

Hostile cyberattacks on health care systems can leak confidential data, block health care professional’s access to patient files and potentially wreak havoc on patient care, speakers told attendees, who were present both over Zoom and in person.

Kevin Fu, the FDA’s acting director of medical device cybersecurity, warned that manufacturers, health care providers and regulators must work together to thwart increasingly sophisticated attacks on healthcare systems. 

“This isn’t a teenager in a hoodie working in a basement by himself anymore,” Fu told conferees at the McNamara Alumni Center via Zoom. “Attacks are increasingly professional and are increasingly being carried out by elements of organized crime.”

Such attacks, Fu said, seek out weak links in health care organization’s online security structure. Too often, hackers can get access to confidential data through medical devices, which are not always built or deployed with security in mind.

Medical devices in this context could include everything from MRI machines to wearable at-home medical monitoring equipment – anything that might provide hackers with access into a health care network.

The Medical Device Security 101 event featured speakers from across the medical device community, sharing best practices and offering new concepts in hardening medical devices of all kinds against possible attack. 

Hope for the Best, Plan for the Worst

One consistent message that came from speakers throughout the day: assume that every possible access node in your system will be tested by hackers.

  • Deborah Bruemmer from the Mayo Clinic stressed that manufacturers can no longer assume that hackers will only go after easy targets, and said that health care providers must set clear minimum security requirements for medical devices before they are put into use in clinical settings.
  • Speaking on the topic of medical device IOT, Dave Presuhn and Sudar Shields from Boston Scientific discussed the need to tighten up security protocols for at-home wearable devices, as the desire to make them easy to use can also create system vulnerabilities.
  • Soundharya Nagasubramanian from Baxter gave a talk about best practices that have emerged in recent years for designing a successful product security program.
  • Steve Christy Cole, Kyle Wallace and Matt Weir of Mitre described how industry can best use early threat modeling to game out possible vulnerabilities in medical device software. 
  • Ed Heierman from Abbott spoke on the topic of SBOMs – the Software Bill of Materials that health care orgs are increasingly requiring of manufacturers. Heierman described the SBOM as “a nutritional label for software” that makes clear to customers what code is running inside the device.
  • Shannon Lantzy of Medcrypt, which provides security solutions to device manufacturers, gave a lively talk about the challenges in translating threat modeling into effective medical device design. 
Raising Awareness

The conference was hosted by the Center for Medical Device Cybersecurity (CMDC) which was founded in 2020, and which recently became part of the University of Minnesota’s Technical Leadership Institute (TLI).  CMDC director Bill Aerts talked about the event as something of a “coming out party” for the Center.

“It’s important that we raise awareness of what we're doing at CMDC,” Aerts said.  “There’s a need to continue educating people, especially those that are new to the topic who work in device manufacturing, and the health care industry, as well as academics and students. We intentionally called this summit device security 101. It's meant to be an overview of the topic.”

While the dangers of software vulnerabilities in medical devices is a topic that’s been understood for some time, Aerts notes that getting all the players on the same page has been a challenging process.

A decade ago, he says, when medical device cybersecurity was first becoming recognized as a critical issue, manufacturers were expected to find solutions on their own. But it’s increasingly seen as a shared responsibility across the entire healthcare industry. 

“Government regulators have to get involved to establish requirements for devices that are put on the market,” Aerts says. “In fact, the FDA has spent the last 10 years or so developing a set of regulations and standards that have really pushed us forward in this space.”

Health care providers too, Aerts says, need to know more about the devices they are deploying.

“They have to be able to secure their own devices, they have to be able to manage the devices across platforms. And that extends not only to healthcare providers, but even to you as a user. There are plenty of on-body or on-your-wrist devices out there. You have to take reasonable precautions to protect those as well.”

Aerts is optimistic that the conference will help to raise awareness around the issue, and believes that an industry-wide effort to address medical device cybersecurity is slowly picking up steam.

“There are a lot of great people working on this issue now,” Aerts says.  “But we need more trained people who are aware of it, and can come up with creative solutions to the problem.”

CMDC is not leaving that needed training to chance. In May, the center will be offering a four-week course on the topic of medical device cybersecurity. Designed to prepare early-career professionals working in medical device manufacturing and healthcare with an understanding of how to meet safety and security expectations, it will be taught by leaders in the medical device cybersecurity field. Registration for the online, eight-session course is now open.