Cybersecurity has proven to be a challenge, not only with regard to ensuring the security of medical devices, but also preparing documents for regulatory submissions.
Sello Malete, head of regulatory affairs, quality assurance, SHE and facilities at Roche Diagnostics, delves into the topic of cybersecurity in healthcare.
Health authorities in many regions, including the US, Australia, Canada and Japan, have released new cybersecurity guidance documents. In addition to pre-market concerns, some of these guidance documents also include expectations for post-market expectations.
Q: Why is cyber security so vital to the digitalisation of healthcare?
A: Cybersecurity is vital for the following reasons:
- The majority of our products include software and are connected
- In an increasing digital world, we have become more vulnerable and exposed to cyber risks
- Cyber risks have the potential to become a serious risk for our business and jeopardise our right to operate, if not addressed appropriately
- Our customers expect us to protect their products and infrastructure from cyber risks
- The regulatory environment is changing with governmental authorities demanding greater protection for data, and specifically for devices
Q: What are some of the challenges organisations are finding as they try to keep up?
A: Medical device companies struggle to build security programmes into quality systems that were, most likely, not designed to address typical security issues such as hardening, vulnerability management and global incident response.
Q: What are some of the most common cyber security threats? How do these threats affect the patient directly?
A: The most common threats we tend to see are:
- Operating System Attack – An attack on the operating system, for example, by exploiting a vulnerability of the operating system or making use of default settings to gain access to the operating system.
- Application-level Attack – An attack on the actual programming code and software logic of an application.
- Shrink-Wrap Code Attack – An attack that takes advantage of built-in scripts most applications come with.
- Misconfiguration Attack – An attack that takes advantage of systems that are not appropriately configured for security.
Q: Can you cite instances where breeches have affected the patient?
A: The healthcare industry is plagued by myriad cybersecurity-related issues.
These issues range from malware that compromises the integrity of systems and privacy of patients to distributed denial of service (DDoS) attacks that disrupt facilities’ ability to provide patient care.
While other critical infrastructure sectors experience these types of attacks, the nature of the healthcare industry’s mission poses unique challenges. For healthcare, cyber-attacks can have ramifications beyond financial loss and breach of privacy. Ransomware, for example, is a particularly egregious form of malware for hospitals, as the loss of patient data can put lives at risk.
It seems that every day, another hospital is in the news as the victim of a data breach. The routine is familiar; individuals receive notification by email of the breach, paired reassuringly with two free years of credit and identity monitoring.
Ransomware is a type of malware that infects systems and files, rendering them inaccessible until a ransom is paid. When this occurs in the healthcare industry, critical processes are slowed or become completely inoperable. Hospitals are then forced to go back to using pen and paper, slowing the medical process and ultimately soaking up funds that may otherwise have been allocated to the modernisation of the hospital.
The 2017 ransomware attack Wannacry exposed weaknesses in cybersecurity response. The attack took down the National Health system in Great Britain and put them back to paper and pencil.
In 2017, the U.S. Food and Drug Administration required nearly 500,000 patients with a radio frequency-enabled St. Jude Medical implantable pacemaker to install a software patch to protect themselves from cybersecurity vulnerabilities that had been discovered in the devices.
The FDA issued an alert warning to patients that the device’s vulnerabilities could allow unauthorised users to access the device.
Non-targeted attacks are more widespread, due to automation. Common malware used in non-targeted attacks are worms and viruses, which most often spread via the internet.
Targeted attacks often follow a structured approach with five hacking phases:
- Reconnaissance: Gather evidence and information on the target(s). This can happen actively or passively (network sniffing, social engineering, etc.).
- Scanning and Enumeration: Actively apply tools and techniques to gather more in-depth information on the target(s) (e.g., network mapper).
- Gaining Access: Perform the actual attack based on the information gained earlier (e.g. access open wireless access point, SQL injection, etc.)
- Maintaining Access: Ensure persistent access through implementation of a backdoor (e.g., Trojan, rootkit, etc.).
- Covering Tracks: Avoid detection by security professionals (e.g., removing/altering log files, hiding files, etc.).
Q: What are some strategies for improving cybersecurity?
A: Around the globe and across regulators, four consistent themes are emerging with regard to medical device cybersecurity: risk management, security by design, standardisation and documentation.
Cybersecurity risk management starts with an understanding of risk and its control, which means “security-by-design” or designing technical controls to ensure comprehensive and robust medical device protection for patient health and their personal data.
As standards are being developed, assessed and implemented, methods and rules for manufacturers to show they are doing “the right things” are also being incorporated. However, global medical device cybersecurity will depend on three expectations of industry — that there will be enhanced collaboration, greater transparency and increased awareness of the security risks inherent in medical devices.
Q: How can the law be improved to help?
A: Better Integration of cybersecurity into a Device Review Process would go a long way in ensuring that regulators drive manufacturers into taking cybersecurity requirements into consideration before bringing products to the market.
Regulators should promote the use of pre-submission meetings to address cybersecurity-related questions. Regulators should use cybersecurity documentation as a criterion in Refuse-To-Accept checklists and include cybersecurity as an element in the submission documents.
On the pre-market end, the International Medical Device Regulators Forum (IMDRF) includes recommendations on risk management, security testing and regulatory submission requirements, where manufacturers can document their cybersecurity activities and it will help if all regulators adopt this principle.
“Should the regulator require cybersecurity documentation for pre-market authorization, the manufacturer is encouraged to submit clear documentation describing, in relation to cybersecurity, the device’s design features, risk management activities, testing, labelling, and evidence of a post-market plan to monitor and respond to emerging threats,” the IMDRF explains.
On the post-market end, the draft discusses measures to enhance transparency for different stakeholders, such as via coordinated vulnerability disclosure. The draft also features discussions on vulnerability remediation and incident response, among other topics.
Q: Do laws/strategies create other challenges that hinder progress and transformation?
A: Industry faces a greater workload for compliance with the new legislative frameworks — some of which have specifically targeted data protection and cybersecurity. These include, the General Data Protection Regulation (GDPR) and the forthcoming Cybersecurity Act, among others. The EU’s Medical Device Regulation (MDR) introduces general and safety performance requirements as well. MDR came into force on 26 May 2020 as the first CE-marking legislation to introduce security requirements.
In South Africa, The Cybercrimes Act was first published as the Cybercrimes and Cybersecurity Bill on 28 August 2015, updated on 19 January 2017 and was introduced in Parliament on 22 February 2017.
The Bill sat with Parliament for a while as there was a strong push by the old regime in government to enact the Bill in its then-current form. There were extensive comments on the Bill during the public participation period in 2017, and particularly on onerous aspects of the Bill.
Those comments were considered and incorporated into the new Cybercrimes Bill that was published in October 2018. The Bill was revived by the National Council of Provinces (NCOP) who opened another period of public participation from various stakeholders since October 2019.
Yet again, NCOP received extensive comments and proposed changes. In June 2020, NCOP adopted the Cybercrimes Bill with their proposed changes. The Bill was sent back to the National Assembly for concurrence in July 2020. The Bill was passed by both houses of Parliament in December 2020 and was sent to the President to assent.
On 26 May 2021, the President signed the Bill into law. The Cybercrimes Act will only come into operation on a date fixed by the President by proclamation in the Gazette. The President may fix different dates for different provisions of the Act.
This law still requires integration into medical devices regulations in line with the EU and FDA in the US.
Q: Not all healthcare facilities are in the same place. How does outdated tech in facilities contribute to the issues?
A: The public health critical infrastructure sector represents a significantly large cyberattack surface. Intrusions and breaches occur through weaknesses and vulnerabilities in the system’s architecture and medical devices.
As with all other computer systems, medical devices that use software are vulnerable to cyberattacks and hospital network operations using software and the Internet are also subject to disruption.
If vulnerabilities are not addressed and remediated, they can serve as points of access and entry into medical devices, hospital and other healthcare networks, resulting in compromised data confidentiality as well as compromised patient safety.
Strengthening healthcare cybersecurity and the critical infrastructure within and across sectors is imperative. Doing so requires fostering an incentivised culture that encourages proactive behaviour, especially with regards to information sharing, as well as developing a framework to strengthen cybersecurity and critical infrastructure.
Q: Is there a big discrepancy between private and public facilities?
A: The challenge for the public and private sector remains the same and requires the same approach. Medical device cybersecurity “cannot be addressed from an isolated viewpoint. We need to broaden the discussions to ensure better harmonisation and alignment to the European and national laws that set security requirements for products and services.”
The first recommendation requests regulators broaden the European discussion around good security practices across all regulatory frameworks. Setting up this broad discussion would help “reduce market access limitations, conflicting security requirements and unnecessary administration”.
This recommendation seeks to promote regulatory convergence between EU member states and industry. This would coincide with EU ‘notified bodies’ participation in the International Medical Device Regulators’ Forum, which took up a new work item for a harmonised cybersecurity guide last year.
Q: Any closing thoughts?
A: Stakeholders within the healthcare sector have a shared responsibility regarding medical device cybersecurity. There should be a clear harmonised guidance that will assist all stakeholders in gaining a better understanding of their role in support of proactive cybersecurity that helps protect and secure medical devices in anticipation of future attacks, problems, or events.
Convergence of global healthcare cybersecurity principles and practices is necessary to ensure that patient safety and medical device performance is maintained. To date, however, current disparate regulations across governments lack the global alignment needed to ensure medical device cybersecurity.