The U.S. National Cybersecurity Strategy, announced in March 2023, was joined by several other regulatory and legislative initiatives throughout the year that will have a major impact on the security of the Internet of Medical Things (IoMT) in 2024 and beyond. As these initiatives progress there is also a proven roadmap for meeting their new and evolving compliance requirements so that medical devices are not only safe but also secure.
Threat surface grows
The World Health Organization (WHO) estimates there are 2 million kinds of medical devices that, increasingly, use software for signal processing, data visualization and other functions, as well as wireless connections to transmit data and allow device control. For example, an unprotected infusion pump, might divulge sensitive information to a hacker and some insulin pumps may even allow remote attackers to change take over control of dose delivery.
A November 2023 study published in Nature magazine found that medical devices purchased by national health services worldwide have nearly 700 vulnerabilities, more than half defined as “critical” or “high-severity.” It takes so long to discover these vulnerabilities that, even if patches were applied immediately after the vulnerability was found and announced, it has been estimated that there would still have been roughly 3.2 years of system exposure between when the device was purchased and the patch applied.
This applies to all classes of devices including high-risk IIB and III devices. The study also compared connected medical devices’ weaknesses to those of IoT products in the broader market, and concluded they are as vulnerable as smart bulbs and speakers.
A cascade of initiatives
The U.S. National Cybersecurity Strategy emphasized two main fixes in the overall war against cyber threats: take some of the risk-management burden off end-users, and better incentivize decision-making so that cyberspace is resilient and defensible over the long term. The July announcement of the National Cybersecurity Strategy Implementation Plan (NCSIP) followed late 2022’s new FDA cybersecurity requirements (finalized in September 2023), and the April publication of the ANSI/AAMI SW96:2023 standard for medical device security. With these developments, the FDA now had statutory authority to require that satisfactory cybersecurity measures be incorporated into medical devices before entering the market. The agency also fully endorsed the new ANSI/AAMI standard in November.
Next up was the NIST Cybersecurity Framework (NCF) 2.0 in August 2023 focusing on improvements in authentication, identity management, cybersecurity risk management, supply chain risk management, and vulnerability disclosure – all highly relevant to vulnerable connected medical devices. In its NCF concept paper, NIST also referenced a National Cybersecurity Center of Excellence (NCCoE) project entitled “Trusted IoT Device Network-Layer Onboarding and Lifecycle Management” that will explore credential provisioning for secure network connection. This requires trusted network-layer onboarding, “in combination with additional device security capabilities such as device attestation, application-layer onboarding, secure lifecycle management, and device intent enforcement could improve the security of networks and IoT devices.”
Also in August, the Biden-Harris Administration announced a cybersecurity labeling program for Internet of Things (IoT) devices to help consumers make informed purchases with security in mind. And finally, December saw the U.S. Department of Health and Human Services’ strategy for healthcare sector cybersecurity, which reiterates elements of the new FDA authority over medical-device security requirements.
Recurring themes
Among these initiatives’ most relevant recurring themes for medical devices are standardization, IoT security, and multi-layered “security by design”.
The push for standards is one of NCSIP’s top priorities, and a key element of the FDA’s new authority to establish medical device security requirements for manufacturers. The FDA’s endorsement of ANSI/AAMI SW96:2023 adds momentum to the first consensus standard that provides specific requirements for managing security across a medical device’s entire lifecycle.
IoT security is a key element of these initiatives, as well, starting with a National Cybersecurity Strategy’s stipulation that “consumers will be able to compare the cybersecurity protections offered by different IoT products, thus creating a market incentive for greater security across the entire IoT ecosystem.” The NIST NCF 2.0 framework’s IoT device security project is another initiative to watch, and healthcare industry observers are already anticipating that the federal IoT labeling program could be expanded and applied to IoMT devices.
Also noteworthy is the recurring emphasis on multi-layered security by design, with examples in both the NCSIP and the ANSI/AAMI standard. The NCSIP focuses on defending critical infrastructure by, among other means, ensuring software and hardware is “secure-by-design” which the US Cybersecurity and Infrastructure Security Agency (CISA) defines as “conceptualized with the security of customers as a core business goal, not just a technical feature.” Reinforcing this concept, the ANSI/AAMI standard mandates the use of more than one method of ensuring devices and systems are protected.
A proven roadmap
Solutions that embody these themes have already been implemented. One of the best examples is the first FDA-cleared Automated Insulin Delivery (AID) systems that require Insulin pumps to be always connected to a Continuous Glucose Monitor (CGM) in compliance with IEEE 2621 certification requirements. Software development kits (SDKs) are now available that embed IEEE 2621-compliant security assurance directly into market-leading AID systems, proving the value of a standards-based approach to protecting wireless connections against cybersecurity threats. They also offer a roadmap for applying a multi-layered security-by-design approach to connecting and protecting other medical devices under control of a user’s smartphone.
This approach typically spans three key security layers. The first is application-layer security to protect the entire communication channel between the smartphone app, medical device, and cloud from many types of malware and wireless channel cybersecurity attacks. Today’s Bluetooth, Wi-Fi and other communication protocols mitigate some, but not all, threats that are inherent to these communication links. Additional measures are required to fully protect all communications channels so that hackers cannot access data or take control.
The second layer brings trust to all system elements through authentication. Hackers must be prevented from gaining “root access” to privileges that enable them to cause harm. Authentication validates the integrity of the user, smartphone app, cloud, consumables, and any associated devices connected to the solution’s communication system. It can be implemented with software or hardware. Hardware Security Modules (HSMs) may also be provisioned to medical devices at the factory to give both the medical device and the consumable the cryptographic keys and digital certificates they need to behave like secure elements (SE) in the system.
Finally, it is essential that there be secure, always-on connectivity between a medical device’s smartphone apps, IoT devices, and the cloud. Without this assurance layer, a communications lapse – always a risk with handheld devices or smartphones — could prevent the system from receiving the most recent data so it can immediately change device operation to meet patients’ care requirements. One solution is a software app running in the smartphone’s background that harvests IoT device data whenever the device is near the smartphone. A second approach is to use additional “bridge” hardware that communicates with the wearable device and the cloud and can be configured either for continuous operation or for use only when the primary IoT-to-cloud path is unavailable.
2023 was a busy year for healthcare industry security, and especially for initiatives focused on connected medical devices. There is growing and coordinated momentum behind the goal of ensuring these devices improve people’s lives without introducing them to cybersecurity threats and associated safety risks. There also is a proven playbook for implementing the type of multi-layered, security-by-design strategies these initiatives advocate.
Photo: Traitov, Getty Images