Across the digital health sphere, connected medical devices allow patients to leave hospital sooner and provide remote monitoring features which can be powerful tools for healthcare professionals. This is highly beneficial to patients who can often continue treatment in their own home and can cut costs for healthcare providers seeking to conserve crucial resources. Appropriate collection of patient data may even aid care elsewhere, improving outcomes as a result. Connectedness can bring a third dimension of functionality to digital health, but new risks appear as care has moved out of the secure space of the hospital and into the wider environment.
As healthcare embraces this approach globally, it makes sense to understand the risks which are associated. In this article we give an overview of cybersecurity risks that stakeholders should consider for digital health and medical devices, and we assess the regulatory frameworks currently in place in the EU and others due to come onstream.
Although the idea that bad actors can hijack medical devices sounds like a science fiction plot, breaches of medical IT systems have happened, and they have been occurring with increasing frequency:
- French hospital serving 600,000 patients suffers ransomware attack (August 2022)
- UK’s National Health Service ransomware attack (August 2022)
- Irish Health Service Executive (HSE) suffers large scale ransomware attack (May 2021)
- Finnish mental health facility suffers data breach and users extorted (October 2020)
There have not yet been any known incidents of medical devices themselves being hacked. However, in March 2019 the US Food and Drug Administration (FDA) warned that medical devices such as implantable heart defibrillators and home monitoring systems were vulnerable to attack.
More recently in 2022, the FBI “identified an increasing number of vulnerabilities posed by unpatched medical devices that run on outdated software and devices that lack adequate security features. Cyber threat actors exploiting medical device vulnerabilities adversely impact healthcare facilities’ operational functions, patient safety, data confidentiality, and data integrity”.
The FBI stated that medical device vulnerabilities are caused by hardware design and device software management. According to the FBI, vulnerable devices can be taken over by malicious hackers, device readings can be changed, overdoses delivered or devices can otherwise be used to endanger patient health. The devices most susceptible to attack are:
- Intracardiac defibrillators
- Mobile cardiac telemetry
- Insulin pumps
- Intrathecal pain pumps, and
This threat is not entirely new of course. Back in 2007, Estonia, an early adopter digitalisation of its public services including telehealth, suffered a crippling cyber-attack which shut down its entire government system, severely impacting its telehealth operations.
In Ireland, the need for cybersecurity in healthcare became acutely apparent in May 2021 when the HSE suffered a major cyber-attack conducted by a criminal gang using “Conti” ransomware. Taking place at a critical point in the nation’s COVID-19 pandemic response, the cyber-attack affected 80% of the HSE’s IT infrastructure, encrypting critical services and patient records, as well as causing severe disruption in the form of cancelled outpatient appointments. Diagnostic and laboratory services were also heavily impacted. The shockwaves were also felt far beyond hospital campuses as information flows between medical devices and the HSE were shut down as part of the attack. In a post-attack review carried out by PwC, it was noted that while there was no attempt to infiltrate individual medical devices, it was technologically possible, and that infiltration of this kind presents a significant risk for the future. Amongst many recommendations arising from the attack, the HSE was advised to define a minimum-security standard for the networking of medical devices.
The Medical Device Regulation
Medical devices are regulated by sector specific legislation in the form of the Medical Device Regulation EU 2017/745 (MDR). Although the MDR does not use the term cybersecurity, medical devices must satisfy the General Safety and Performance Requirements (GPSR) set out in Annex I of the Regulation. The Medical Devices Coordination Group (MDCG) has elaborated in its guidance document on cybersecurity (MDCG 2019-6) and notes that the MDR:
“…lays down certain new essential safety requirements for all medical devices that incorporate electronic programmable systems and software that are medical devices in themselves. They require manufacturers to develop and manufacture their products in accordance with the state of the art taking into account the principles of risk management, including information security, as well as to set out minimum requirements concerning IT security measures, including protection against unauthorised access”.
The GPSR may enhance cybersecurity for medical devices, and the MDGG guidance aids stakeholders to a degree. However, on the implementation of measures, the MDCG’s approach has been said to lack specificity on what is required and, as guidance, it is non-binding.
Standards can also play an important role in assisting manufacturers in meeting the essential health, safety and performance requirements set out in applicable EU legislation such as the MDR. For example, ISO 14971:2019 “Medical devices – Application of risk management to medical devices” became a harmonised standard under the MDR in May 2021 and provides further detail for manufacturers on how to demonstrate compliance with the requirements contained in Annex I.
Alongside the software life-cycle standard IEC 62304 “Medical device software – Software life cycle processes”, the recently published IEC 81001-5-1 “Health software and health IT systems safety, effectiveness and security – Part 5-1: Security – Activities in the product life cycle” (expected to be recognised by the EU Commission by May 2024) also directly addresses the relationship between healthcare organisations and medical device manufacturers and gives detailed guidance to manufacturers on how to ensure appropriate cybersecurity in healthcare IT systems.
The Network and Information Security Directive
In 2018, the Network and Information Security (NIS) Directive was implemented in Member States. The Directive harmonized national cybersecurity capabilities, cross-border collaboration and the supervision of critical sectors across the EU. Member States must:
- Be prepared by establishment of a Computer Security Incident Response Team (CSIRT) and a competent national NIS authority
- Engage in cooperation with other Member States on cybersecurity issues
- Develop a culture of security across sectors which are critical to infrastructure such as financial services, energy, transport and healthcare etc.
The NIS 2 Directive
Although the NIS Directive was seen as a good starting point, some argued it was inconsistently applied across Member States resulting in divergent security and incident notification strategies. Under Article 23 of the NIS Directive, the European Commission conducted a review of the NIS Directive and developed a proposal for a revised directive “because of the increasing degree of digitalisation and interconnectedness of our society and the rising number of cyber malicious activities at global level”.
The NIS 2 Directive:
- Covers more sectors that are critical for the economy and society
- Expressly covers “the healthcare sector, for example by including medical device manufacturers, given the increasing security threats that arose during the COVID-19 pandemic”
- Addresses security of supply chains
- Imposes accountability upon top management for cybersecurity non-compliances
The NIS 2 Directive also broadens the scope of what healthcare entities should be protected, including laboratories, R&D and manufacturing activities for medicinal products as well as manufacturers of medical devices delivering critical services during a health emergency. Those entities must now “take appropriate and proportionate technical and organisational measures to manage the risks posed to the security of network and information system.” Competent Authorities are empowered to supervise and enforce more stringent requirements of the NIS 2 Directive. In Ireland, surveillance and enforcement is the responsibility of the National Cyber Security Centre (NCSC).
The NIS 2 Directive was published in the Official Journal of the European Union on 27 December 2022 and will enter into force twenty days from that date. Member States will then have 21 months to implement it. Although it will not apply directly to medical devices as they are subject to sector specific legislation via the MDR, healthcare institutions will be bound by its terms and on that basis it its impact will likely be felt by medical device stakeholders.
The EU Cybersecurity Act
Although medical devices are exempted from a proposal for an EU Cyber Resiliency Act, the EU Cybersecurity Act (EUCA) has been in force across Member States since June 2021 and applies to healthcare settings. Under the EUCA, the European Union Agency for Network and Information Security (ENISA) will oversee enforcement of the EUCA at Member State level. National Competent Authorities are given the power to implement penalties which are “effective, proportionate and dissuasive” for breaches of the EUCA.
Other incoming legislation
Cybersecurity requirements also play an increasingly important role in draft legislation, providing for a safety regime for AI systems, the proposed legislation providing for the EU system of strictly liability for defective products, and fault-based liability claims for AI systems.
- The Proposal for an AI Act: contains various references to the importance of cybersecurity in its draft recitals. Article 15 also sets out specific cybersecurity requirements for ‘high-risk’ AI systems, a category that would include medical devices
- The Proposal for a Revised Product Liability Directive (PLD): may impact how medical device stakeholders manage cybersecurity risk from a liability perspective. Under the revised PLD, damage caused due to cybersecurity vulnerabilities may be compensable on a no-fault basis. Producers may also be liable where they fail to update software to address cyber vulnerabilities that manifest after a product is put into circulation and damage is causedas a result
- The Proposal for an AI Liability Directive (AILD): contains provisions providing for a rebuttable presumption of causation where a number of criteria, including ‘fault’ on the part of the defendant, are satisfied. For ‘high-risk’ AI systems, non-compliance with the cybersecurity requirements contained in the draft AI Act would amount to ‘fault’ for the purposes of triggering this presumption
Against a background of enhanced convenience for patients and changing approaches to care, the European Commission is trying to deal with a particularly challenging problem posed by ever complex technology and multiple frameworks are coming onstream to deal with this risk.
Digital health stakeholders would be advised to:
- Review their product portfolios
- Understand product cybersecurity vulnerabilities
- Where possible develop appropriate strategies to tighten security and
- Coordinate their approach with healthcare facilities using their products