Ecosystem security: Rethinking cyber defence in the age of connected medical devices

Critical infrastructure has long been a prime target for cyberattacks. Whether the aim is to extort money or disrupt people’s lives, the more critical a service, the more impact an attack is likely to have. A number of recent attacks around the globe have made this clear.

People often take a fairly narrow view of what this critical infrastructure looks like. Maybe it’s the systems at a major water treatment plant or the IT network within a hospital trust. This approach can create an equally narrow definition of the solution: invest in traditional cyber security controls to protect your vital systems from attack and plan for remediation activity. 

Unfortunately, the reality is that it is not that simple and cybersecurity in healthcare requires a different approach.

Broadening access and improving outcomes with connected health

Healthcare has become increasingly reliant on digital services. And, like many things, this move to digital health has been accelerated by the COVID-19 pandemic. As people mobilised to minimise the spread of the virus, remote healthcare came to depend on the ubiquitous access to digital health technology and clinical data for patients and clinicians alike. 

We have seen the steady proliferation of connected medical devices (CMDs) over recent years. This can include anything from pacemakers that relay health data to CT scans, which then share results with remote teams immediately. For some, these devices might even include personal smart devices that can track health data, but here we will be focusing primarily on those devices that connect directly to central hospital IT systems.

These have helped power the shift to a remote workforce and digital patient engagement that became critical during the pandemic. And, as Accenture’s recent Digital Health Technology Vision identified, this growth is likely to continue as more healthcare organisations move towards digital working practices.

CMDs enable healthcare professionals to deliver innovative new care pathways, broadening access to healthcare for all and delivering superior patient outcomes. However, as with any new technology, they come with their own challenges. In this case, increased connectivity not only opens new avenues for collaboration and communication, it also creates a wider threat surface for attackers.

Understanding the risk of networked healthcare

To understand how interconnected medical devices are and the risk this presents - consider an analogy. Think about COVID-19, or indeed any virus, and how it spreads from person to person. If one person contracts the virus, anyone they come into contact with is at risk of contracting the virus too. Those that are infected are then at risk of passing it on to others in the same way and this cycle repeats exponentially. What was one infection can quickly balloon and, as we have seen, become a major global pandemic.

Of course, this is true of any network. However, the nature of CMDs mean that they come with more complex security needs. Whilst more traditional and closed networks can be tightly monitored and restricted, CMDs can represent a range of assets in a variety of locations, including with members of the public on personal networks. This begins to add exponentially more connection points and means rethinking the way we approach security risks. 

Securing connected healthcare with decentralisation

When thinking about this risk, the immediate response might be to focus on securing central IT systems. However, this is not a practical or ethical response. A hacked medical device could still result in a loss of patient data or even worse, a loss of patient life. Equally, traditional security controls are often unsuitable for medical devices.  When securing CMDs, we need to take a full-lifecycle approach to security.

It is not enough to secure a CMD once it has been received from the manufacturer and is in use within a hospital setting. Cyber security must be considered from the first point of the lifecycle, during manufacturing, to limit vulnerabilities and move to a more secure by design approach. This approach must then carry through to the installation of the device to ensure that the physical environment is also secure.

Once it is operational in a hospital setting or with a patient, we have to think broadly about the range of people interacting with the CMD, not just the medical staff who use it on a day-to-day basis but also the maintenance teams and others who will have access. Finally, once the CMD is at the end of its functional life, it must be disposed of securely, with all data removed.

This risk cannot be managed completely by a hospital’s cyber security team. Much like managing the spread of a biological virus, it requires a variety of measures and collaboration across the healthcare industry. This must include all players, from regulators to device manufacturers and IT system administrators. When creating this collaborative environment, there are two key steps:

1. Establish the right regulatory environment to create clear standards. As previously highlighted, this is a whole industry undertaking. To enable this collaboration across organisations who may have very little interaction normally – for example medical device manufacturers and disposal teams – we need to establish shared ways of working and a cyber security standard that is expected. The upcoming UK Medicines and Medical Devices Act 2021 is a great starting point and an opportunity for the UK Government to lead on creating a standard that is expected for the cyber security of medical devices.
2. Embrace technology that can support automated monitoring. Monitoring will always need to include a human element. However, embedding technology that can automatically spot a breach in a specific CMD and alert connected systems, isn’t just beneficial, it is necessary. There is no way to monitor every connected device 24/7, so we need a way of improving transparency. This will need to be physically enabled by manufacturers and implemented effectively by security experts.

Of course, the entire process of developing this standard and deploying a technology is likely to be complex. But it is essential work. The impact of attacks on medical organisations could be deadly. In 2020, an attack on a hospital in Dusseldorf led to ambulances being re-routed to other locations¹, with one patient dying during this journey. It is unlikely that this was the hacker’s intention, and the hack was partially resolved when the attackers voluntarily gave back system access after seeing the patient impact. However, it is hard to ignore that when critical infrastructure is attacked the consequences can be fatal.

When identifying how to counter these threats, it is essential to stay alert to the latest threats. Accenture’s latest Cyber Threat Intelligence report explores this changing landscape and offers actionable insights to Health leaders. If you would like to discuss the findings, don’t hesitate to contact Ashish or Elizabeth.

¹www.wired.co.uk/article/ransomware-hospital-death-germany