Closing the Care Gap with Wearable Devices
Innovating Healthcare with Wearable Patient Monitoring
Chapter 14
Walter N. Maclay
Cybersecurity
Table of Contents
DOI: 10.4324/9781003304036-17
Cybersecurity is a growing problem. Devices are being hacked more and more. When this happens, the data may be intercepted or corrupted. In addition, devices such as laptops, cell phones, and wearable devices can become portals into the networks of homes, businesses, and healthcare facilities.
94% of healthcare organizations have been the victim of a cyberattack*. As early as 2012, the TRENDnet webcam was hacked. The hackers posted livefeeds of 700 cameras to the Internet**. In 2017, St. Jude pacemakers were shown to be vulnerable to hacking. The hackers sold the stock short before they announced their hacking. As a result, 465,000 pacemakers were recalled. There was concern that hackers could deplete the battery early or even alter patients’ heart rate***.
[*source: SANS Institute
**source: TechNewsWorld
***source: The Guardian]
Most consumer products have little cybersecurity. It costs money to make devices more secure, and consumers do not make purchasing decisions based on the security of a device. This may change as security hacks grow in severity and frequency.
Wearable devices are more at risk of cyberattacks than devices that don’t move. Not only can the data be intercepted, but a healthcare facility may not know that data is coming from a different device, or that the device may be worn by the wrong person. They also have all the issues that affect other devices. The data can be intercepted on the Internet if it’s not encrypted. The device may be an easy way to get access to the internal network in order to attack it. The device may be spoofed by another device, so it can gain access to the data or internal network. A hacker may change settings on the device, so it behaves incorrectly. The data may not be accurate. The timestamp on the data may be incorrect.
Apple was quite careful about cybersecurity in its Apple Watch 4. It has capabilities that can make it a medical device, such as detecting falls or arrhythmia. To determine if the device is authorized to send data and that the right device is sending data, Apple:
- Lets the user know they need to grant permission to send data.
- Prompts the user with a health authorization dialog on their phone.
- Sends data from the phone to authorize data transmission.
- Tells the Apple Watch that the authorization was completed.
FDA Cybersecurity
Medical devices do require protection from cyberattacks. The FDA issued a guidance document in 2014, which can be found at https://www.fda.gov/media/86174/download. They also issued a draft update in 2018, although it still has not gone into effect as of late 2021: https://www.fda.gov/media/119933/download?attachment. The 2018 document is more specific in its recommendations. It is not a totally new methodology. It’s a good idea to use the 2018 document to be ready when it gets adopted.
Although guidance documents are not requirements, they should not be ignored. Following the guidance makes approval easier. Not following it may require justification.
The 2018 FDA guidance document has two tiers. Tier 1 is a higher level of security for:
◾ Devices that connect to another product or network (wired or wirelessly)
◾ Where a cybersecurity incident could directly result in harm to multiple patients.
Tier 1 recommends the following:
◾ Authorization—ensure the user is authorized to use the device
◾ Authentication—verify the identity of the user
◾ Encryption—data is encrypted, and commands are encrypted
◾ Identification of security breaches
◾ Correction—fix the security breach and make the device resistant to similar breaches
More specifically, the Tier 1 recommendations include:
1. Prevent unauthorized use:
a. Limit access to trusted users and devices only
b. Authenticate and check authorization of safety-critical commands
2. Ensure trusted content by maintaining code, data, and execution integrity
3. Maintain confidentiality of data
4. Design the device to detect cybersecurity threats in a timely fashion
5. Design the device to respond to and contain the impact of a potential
cybersecurity incident
6. Design the device to recover capabilities or services that were impaired due to a cybersecurity incident
In addition, Tier 1 design recommendations include:
◾ Cryptographic verification and authentication
◾ Secure configuration
◾ Cybersecurity BOM (CBOM)
◾ Patches and updates (rapid verification, validation testing, and deployment)
◾ Autonomous functionality
◾ Session timeout
◾ Intrusion detection system
◾ Routine security and antivirus scanning
◾ Forensic evidence capture
◾ Vulnerability analysis
◾ Breach notification
◾ Retention and recovery
◾ Other resilience measures
For details of the FDA requirements and recommendations, refer to the links listed to download the documents.
Tier 2 has the same recommendations, but items may be ignored if a risk-based rationale shows they are not appropriate.
HIPAA - Patient Data Privacy
HIPAA requires patient data to be protected. It is separate from and different from cybersecurity, but you can’t meet HIPAA without having good cybersecurity. Patient data security is very serious with strong punishments. HIPAA requires end-to-end security:
◾ From device to database
◾ Physical access control at the database
For wearable devices, the data needs less security if it is transmitted with only a patient code, not the identity of the patient. The patient’s identity can be identified from the code when it is stored in the database.
CE Cybersecurity
CE (the European Commission) has different cybersecurity requirements from the FDA. They are less specific than the FDA, but they are required, not just guidance. Devices must be safe, effective, and secure. There is a strong focus on data protection per GDPR, which is stricter than HIPAA in the US.
The documents that define the requirements include:
◾ Annex I of the Medical Device Regulations (MDR)—safety and performance requirements: https://www.medical-device-regulation.eu/2019/07/23/annex-i-general-safety-and-performance-requirements/
◾ EN62304—requirements for software
◾ EN14971—requirements for hazard analysis
There are 8 “practices” required by CE:
◾ Practice 1: security management
◾ Practice 2: specification of security requirements
◾ Practice 3: secure by design
◾ Practice 4: secure implementation
◾ Practice 5: security verification and validation testing
◾ Practice 6: management of security-related issues
◾ Practice 7: security update management
◾ Practice 8: security guidelines—documentation
In addition, it is the manufacturer’s responsibility to determine the minimum requirements for the operating environment regarding IT network characteristics and IT security measures that could not be implemented through the product design.*
[*from MDCG 2019–16 Guidance on Cybersecurity for medical devices, https://health.ec.europa.eu/document/download/b23b362f-8a56-434c-922a-5b3ca4d0a7a1_en?filename=md_cybersecurity_en.pdf
Elements to consider when adopting a security-by-design approach:
◾ Lower cost
◾ More resilient systems
◾ Reduced risk of liability
◾ Built-in rather than bolt-on security
◾ Effective and early security flaws removal
This is the only way to meet FDA and CE cybersecurity requirements. As with other aspects of the design, you need to have clear requirements for cybersecurity. You need to evaluate risk, which may require changing the requirements. When the design is complete, you need to perform verification testing to show that the device meets the requirements.
Factors to consider when designing a wearable medical device:
◾ Try to use proven technology with less chance of security flaws
◾ Check for known exploits in the technology platform
◾ Perform risk assessment—break risk down into individual items each with the risk and effort required.
◾ Cryptography—what level of cryptography is needed? Too high requires more power and time
◾ Encryption—this is not just protecting data with an encryption algorithm. Key management is actually more important.
◾ Threat Detection—how can one detect a threat before any damage is done?
◾ Penetration Testing—hire ethical hackers who attempt to attack a system
◾ Developers—are they involved in threat modeling? Are they aware of your organization’s secure-by-design practice?
◾ Maintainability—are requirements for maintainability and tools to measure it in place?
◾ Privacy by Design—is privacy included in your approach (HIPAA and GDPR)?
◾ Further Improvements—how can you continuously improve device development? Security will get more challenging during the life of the product.