In the last few years we’ve seen breakthroughs in the IT industry, innovations in medical devices and software that has brought in a paradigm shift in the healthcare services sector. These technological advancements and healthcare IT solutions promise a brighter, healthier future for mankind. It has become inevitable that, today’s healthcare stays in pace with the current technological developments in the field. Today’s hospital is already equipped with advanced gadgets and powerful digital technology and tomorrow will have a much more effective healthcare technology. These advancements provide doctors with crucial data points to take critical as well as effective decisions, which ultimately improve quality of treatment and overall experience of the patient.
However, “with great opportunity comes great risk”. The digitization of health information not only creates efficiency, but also is exposed to more people, in many places and on more devices. With proliferation of healthcare devices into the human body, these vulnerabilities can take you and me to task. The devices like pacemaker, X-ray equipment, picture archive and communications systems (PACS) and blood gas analyzers (BGA), medical devices are ripe for attacks from cybercriminals for profit. Hackers are honing their skills to get their hands on this valuable data. Apart from the devices mentioned above, there are many other devices that present targets for cybercriminals, e.g., diagnostic equipment (PET scanners, CT scanners, MRI machines, etc.), therapeutic equipment (infusion pumps, medical lasers and LASIK surgical machines), and life support equipment (heart – lung machines, medical ventilators, extracorporeal membrane oxygenation machines and dialysis machines) and much more.
Cybersecurity has migrated from being “force majeure” to “raison d’être”, that too in a very short time. No industry using IT is untouched by it. Many healthcare providers are still grappling with ransomware attacks that took not only IT devices, but healthcare devices as well (e.g., power projectors).
Different industries have taken their own measures to understand / analyze / comply with the security measures as mandated by different cybersecurity regulations / standards & to market forces.
Medical Device Manufacturers (MDM) have their own issues to grapple with, as far as cybersecurity is concerned. While they have regulations (FDA, EU, AU, MoH Malaysia) to contend with, market forces have also made sure that standards (ISO 14971:2007, ISO 13485:2003, ISO 10993-1:2009, IEC 62366-1:2015, IEC 60601) and best practices (OWASP Secure Medical Device Deployment Guide) are present to take advantage of. To their credit, MDM have always tried to produce safe and secure medical devices in alignment with the market forces (i.e., competitions, time-to-market, regulations etc.).
As an independent third-party inspection & consulting company, TUV Rheinland has always strived for contributing to the protection & sustainability of industry, by adhering to strict standards while performing inspections & consultations. As part of our consulting efforts, we try to educate our clients on the relevant knowledge, so that they can deploy these controls to their software development (SDLC) supply chain (aka shifting left in the application security parlance), minimizing their cost of closing security bugs and bringing down the total cost of ownership.
Ministry of Health, Malaysia is organizing the International Medical Device Conference 2017 which is planned between 8-10.AUG.17. During this conference, IMDC invited our expert Mr. John Ramesh, Regional Business Field Manager, TUV Rheinland to present the latest development on Cyber Security risks on the medical devices. Also, the standard / regulatory landscape and appropriate framework to ensure proper security controls are deployed at every stage of the product life cycle.