MDR compliance 101: Medical device vulnerabilities and their solution Part 2.
Medical devices have been around for decades, however they weren’t built with cybersecurity in mind. Even though these connected devices, like insulin pumps, peacemakers or smart MRI scans gain popularity with an increasing speed, their security consideration still lags behind when compared to other IoT devices intended for industrial usage.
Luckily, after several demonstrations by whitehat hackers about the ease of exploiting their common vulnerabilities, the European Union and the American FDA established respective cybersecurity guidelines to minimise the chance of malevolent exploitations.
These two new regulations on medical devices in the European Union (MDR 745/2017 - MDR Medical Devices Regulation; EU 2017/745 and IVDR 746/2017 - IVDR In Vitro Diagnostic Medical Devices Regulation; EU 2017/746) entered into force on 25 May 2017, although organizations have 5 years to adjust to the new rules, until May 26, 2022.
The MDR and the IVDR obligates manufacturers to abide by certain cybersecurity expectations in order to be able to market their devices, which already has an impact on the market. In 2017, for instance, the FDA announced its first-ever recall for a pacemaker that carried a major cybersecurity risk. In 2018, a popular pacemaker manufacturer had to shut down part of its Internet network - in order to fix the underlying issues -, after hackers demonstrated how they can remotely hack into their devices and manipulate patient data.
Why do these connected devices have a large attack surface?
Even though manufacturers employ professional and senior level programmers and engineers most of the time, cybersecurity in products is not on the top priority list. This phenomenon is the result of a relatively low level of cybersecurity awareness within the healthcare industry, which has been coupled by the lack of regulation.
Most companies within the private sector are pusing for innovation to counter their competitors and to market the best medical device. This neck-to-neck competition on functionality threw cybersecurity at the back of the priority list. Moreover, as there was basically no regulation to comply with, manufacturers didn't have to maintain in-house IT security teams, or hire third-party experts to control risk management.
Fortunately, today we can observe a general increase in the level of awareness among manufacturers. This trend is the result of the terrifying cybercriminal activities of the recent past, such as hospital shutdowns, data theft, and ransomware attacks exploiting IT technologies used in healthcare systems and institutions. The European Union’s reaction was to level the playing field by integrating mandatory cybersecurity activities for manufacturers.
The most common causes of medical device vulnerabilities
As medical devices are usually sold with their respective smart applications and are connected to a central hub, a smart phone or the Wi-Fi router, the network can be easily hacked if the device is not built using the secure by design principle.
The most common cyberattacks are ransomwares, phishing, code injections, (D)DOS and data theft that all can be prevented and mitigated with proper planning, risk management and IT security planning.
Most exploitations are the result of:
- weak passwords
- outdated operating system
- security misconfiguration
- insecure design
- lack of role-based access limitation
- insufficient or faulty documentation on source code or features
- lack of logging and monitoring
- cryptographic failure
- lack of encryption
- broken access control
We might assume that hackers want to get a hold of personal data like bank account numbers and passwords, however PII is just the tip of the iceberg. By taking advantage of these vulnerabilities, they can modify data recorded by the connected devices, which can threaten the patients’ health, or disrupt the operation of healthcare institutions. Apart from that, this data can be used as a source of industrial espionage to blackmail vendors or institutions for ransom or selling this data on the black market for other cybercriminals to use.
How can manufacturers prevent these malevolent exploitations?
Most of the cyber criminals get access to sensitive PII or perform a successful cyber attack by exploiting vulnerabilities because of the low priority of cybersecurity during development. Luckily, this is something which can be turned around quite quickly. By prioritizing cybersecurity while building and developing products and taking security into consideration right from the start, manufacturers can significantly decrease their attack surface.
By fulfilling the expectations of the EU medical device regulation, like the MDR and the IVDR, manufacturers can make sure that they’re using state-of-the-art technology that not only helps them to comply with the MDR standards, but saves a significant amount of money and time in the long run.
Even though MDR compliance might seem as an unnecessary expense at first sight, it helps manufacturers avoid unwanted costs deriving from data breaches, data theft or other legal and developmental expenditures caused by negligence on cybersecurity. After working with hundreds of clients throughout the years, we can confidently state that prevention is always better and more cost-effective than the reactive approach of putting out the fire when harm has been already done.
Secure by design principle
The secure by design principle is the best option for prevention. This means the due consideration of cybersecurity aspects before and during the development. As a result of this process, manufacturers can build better and more effective products, they can enjoy better outcomes on product evaluations, which eventually results in the earlier marketing of the smart connected device.
How can manufacturers ensure their products’ cybersecurity without building their own team?
We know that building an IT and cybersecurity team to comply with regulations is quite costly and time-consuming. This is why we recommend working with a third-party expert to support regulation compliance and certification. Although, choosing a professional team who suits your demands can be complicated, so we advise the use of an independent organization for device cybersecurity testing with internationally recognized and measurable methodology, like CCLab.
If you want to make sure that your products are complying with the MDR and IVDR expectations and you want to work with a team with demonstrated history in this area, get in touch with us now!