Over the past year, I had the pleasure and honor to work with Chris Gates and Jason Smith from Velentium, as well as the team at Artech House, on a book titled Medical Device Cybersecurity for Engineers and Manufacturers.1 With its focus on the device manufacturer challenge of implementing secure design practices, since its publication in September, the book has proven to be the perfect companion to AAMI's Medical Device Cybersecurity: A Guide for HTM Professionals,2 which focuses on the problem from the hospital perspective.
Together, these two complementary books will help to make healthcare a more secure and therefore a safer place.
Why This Book?
The leading theme of the book is what we call the “secure life cycle management”—meaning the need to build cybersecurity considerations into every phase of the engineering life cycle. This is best accomplished with a “top-down” (leadership to hands-on engineer) and “shift-left” (address security as early as possible in a project) approach in which cybersecurity requirements and processes are built into every business decision and engineering process.
After more than 10 years of dealing with the topic, I was getting frustrated with the pace of progress the industry has made. It's not due to a lack of good intentions or willingness to change, but sometimes the oft-quoted need for “stakeholder cooperation” feels more like “kicking the can down the road.”
I don't intend to downplay all the hard work that many people—healthcare organizations, manufacturers, industry and standards organizations, and regulators—have done on the topic. Yet, we still need to translate the regulations, standards, frameworks, best practices, and processes we have been developing into actions that create a more secure device and ecosystem. Of course, we need to recognize and accept the practical, operational, and economical limitations that make rapid progress difficult; nevertheless, cyber adversaries will not be waiting until we are ready. And after all, we owe it to our patients.
As of the time of this writing, we have not heard of any reports of patient harm due to a cybersecurity incident on a medical device (within the uncertainty of actually being able to detect such event). Sadly, though, we had a recent report of patient death as a result of a ransomware attack on a university clinic in Germany.3
Taking the Engineering Approach
As discussed in the book,1 a commonly accepted best practice to ensure that products are safe, secure, and effective is to follow the approach of understanding market needs, defining requirements, following design best practices, and then in the end (through testing or other methodology) verifying that requirements are met and validating that the resulting product meets customer needs and expectations.
I postulate that the same systematic approach could be applied to the much more complex problem of improving the security posture of the larger healthcare infrastructure. We have identified and defined the need for more security (e.g., through the HIPAA Security Rule or Food and Drug Administration [FDA] cybersecurity guidances4,,5) and, in great detail, the requirements (e.g., through a number of standards and frameworks, such as ANSI/AAMI/IEC 80001-1:20106 and AAMI TIR57:20167). Therefore, we should be able to demonstrate through observation whether we have accomplished our goal (or not).
If we look at the state of cybersecurity in healthcare, we need to recognize that, so far, we have not been able to demonstrate success. For example, the Department of Health & Human Services requires reporting of health data breaches affecting more than 500 patients within 60 days of discovery. Yet, since 2009, we have seen an average increase of 10% per year, with a whopping increase of 36% from 2018 to 2019. Comparing data from January through September 2019 with year-to-date numbers for 2020 again shows an upward trend by another 12% (so far).
Ransomware attacks have also been increasing dramatically,8 have more impact, and are becoming more expensive. Recently, a New Jersey hospital paid a $670,000 ransom demand to prevent the publishing of 240 GB of data.9 The adversary group not only encrypted the data but also threatened its release, and to support their point, they posted a sample of 48,000 documents. The hospital assessed that recovery of the two encrypted servers would be less problematic, but out of concern over the threat of data release, they engaged with the criminals. In the end, the ransom demand was reduced from $1.7 million initially out of consideration of the “COVID-19 situation.”
In another example, a Pennsylvania-based provider chain was affected by ransomware, resulting in ambulances being diverted and lab test results being delayed.10 The hospital opted to not give in to the ransom demand and reported that at the peak of the outbreak, all 250 U.S. locations were affected.
As a last example, we recently learned of a clinical trial firm that was hit by a ransomware attack, disrupting ongoing trials (including trials related to COVID-19).11 In this case, however, the impact seemed to have been manageable.
Finding a medical device–specific indicator is more difficult because of the lack of appropriate measures and publicly available data. However, we can look at the number of vulnerability advisories and vulnerabilities disclosed to get a feel for any trends that may be observable, with the limitation that medical device vulnerabilities are not directly linked to actual security threats or events but could lead to such an incident.
Specifically, considering ICS-CERT (Industrial Control Systems Cyber Emergency Response Team) medical device vulnerability advisories, an upward trend can be observed when comparing year-to-date numbers for 2020 with those of last year. Total advisories were 21 for 2019 (full year) versus 20 for this year (through September), totaling 42 (2019) versus 68 (2020) individual vulnerabilities.
Although the proper management and disclosure of vulnerabilities is generally seen as a sign of mature security processes, any downward trend would indicate that the industry is improving. However, no evidence exists to support this; in fact, we observe the opposite trend. Manufacturer vulnerability disclosures have been trending up since the FDA published its postmarket cybersecurity guidance in 2016.5,,12
Unfortunately, all of these data points would lead to the conclusion that the state of cybersecurity in healthcare is not very strong. In fact, it seems that the bad guys are progressing faster than we, the good guys, are. Using a representative measure, recent research showed that just 44% of healthcare providers meet the National Institute of Standards and Technology's Cybersecurity Framework.13,,14
Where We Go from Here
As an industry, we collectively need to work through the five stages of security grief. I hope very much that we will arrive at the “acceptance” stage soon, and I also hope that the medical device security book1 will be one contributor to enable a sixth stage: “fixing.” It won't be quick, and it won't be easy; it will require hard work and compromise, but we can do it.
We also need to acknowledge that this is not just a technical issue. Therefore, the book is not only for a technical audience but also for managers and business decision makers, guiding them to a better understanding of the challenges and requirements (as appropriate for their role) and helping them to build and enable a security-capable organization.
This has been a demanding year, to say the least, with our national health system facing a challenge none of us had experienced before. Let's not add another major cyber incident to the mix.