“The industry needs to learn quickly“
Medical devices and systems are becoming increasingly networked and, at the same time, they are processing highly sensitive patient data. There are risks involved because cyber attacks on medical technology are on the increase. Legal requirements have been introduced in response. Manufacturers are now obliged to protect their systems against attacks in compliance with the Medical Device Regulation (MDR) of the European Union. We interviewed Robert Feld, systems architect at Corscience, about what this means for us and our customers.
Robert, is this issue on the industry’s radar, or is it now catching many companies off guard?
It chiefly depends on the size of the company, in my opinion. Big companies are usually already aware of this problem, and are either setting up internal structures or have them in place already. With small companies, on the other hand, I still tend to see less then optimal preparation where this issue is concerned. But overall there is movement.
What are the typical gateways? What specific attack scenarios are there?
Currently, the most significant attack scenario in the field of medical technology, both criminally and economically, is blackmailing a hospital with stolen or encrypted data. The final targets are actually the hospital IT servers, but because medical devices in hospitals are integrated into networks and sometimes communicate with the internet, they can be a gateway.
Intellectual property theft is another scenario. As well as stealing know-how from a medical device, a hacker could also steal specific implementations, such as ECG algorithms, and use them for a cheap copy of the device, for example.
Do you have an example of a cyber attack in the field of medical technology that had serious consequences?
One example would be the sensational discovery of a security gap in a cardiac pacemaker. A security researcher discovered the gap and then sold it to a company that bets on falling stock prices and made a profit from the publication. Germany’s Federal Office for Information Security (BSI) has also investigated the cyber security of medical devices and discovered gaps. Then there was an attack on hospitals in the Franconia region of Germany at the beginning of this year, for example.
Legal requirements have been introduced in response to threats like these. What exactly does the MDR say about cyber security? What does it mean that medical devices have to be “cyber-secure”?
Cyber security means protecting systems and data against attacks. So, on the one hand, it concerns data protection and protection against manipulation to prevent malfunctions, but also availability. An attack can put a device out of action or prevent access via the network, for example. Protection goes beyond the individual device. A hacker who attacks a hospital network can, for example, gain access to the critical infrastructure, such as the WLAN network or passwords, via a poorly secured medical device. This then enables the actual attack, which is often carried out in stages and over a long period of time. The MDR addresses various aspects of cyber security, but naturally remains vague regarding specific requirements. The Medical Device Coordination Group deals with it in more concrete terms.
What specific obligations and measures result from this?
As is the case with other MDR requirements, we have to demonstrate that we maintain cyber security. This requires processes for identifying and verifying the relevant requirements. For that you need knowledge of the regulations and relevant standards, plus the methodology and technical implementation.
What effect does this have on our processes?
Cyber security is incorporated in the development process from the word go – as has always been the case with functional safety – so nothing is fundamentally different development-wise. However, once the devices are on the market, we now also have to ensure that they remain cyber-secure for the entirety of their lifetime, and that they are technically up to date. As developments here are much faster than in the area of safety, there’s more work involved. A device that we design today, launch on the market in three years time and then sell for seven years with a lifetime of ten years must therefore be secure for 20 years. This means we have to think ahead and assume that we will regularly need to respond to new threats with updates and fixes.
How far is Conscience in implementing this? How do we protect our medical technology to prevent cyber attacks?
We are right in the middle of it. That is to say, we’ve implemented a number of important measures and started to apply them to new projects. We have new models for cyber security analysis and our initial experience with them has been very good. We are currently in the process of designing the phase after market launch and anchoring the new tasks in our processes.
Is the experience with cyber security measures that we are now gathering transferable to our customers? Could our customers benefit from that?
For one customer, we’ve just tested a device that was approved under MDD rules, and we discovered that it already needs improvement, based on what we know today. What is important now is to pass on these lessons learned for the future. Every experience with cyber security makes us better and we are learning quickly, especially in our project work, because we’ve got to…
Is it possible to make a system completely cyber secure? What challenges are involved?
Of course, absolute security isn’t possible, and eventually you get to a point where the cost involved is no longer proportionate. The trick is to identify the critical points and then invest resources in improving security there. In addition, you also have to make improvements after market entry where necessary. Conceptually, the defense-in-depth principle is important here. As I have to assume that every security measure can be overcome, combining several different measures is a proven means of reducing the likelihood of a successful attack.
Furthermore, a final test by independent experts, usually a penetration test, is an important measure to verify cyber security. It’s important to remember that you cannot introduce security into the device through testing. If you don’t integrate cyber security from the start, it will prove costly later on! The earlier in the project you start on this, the more effective it will be. We’re happy to provide support in this process.