Feature

Facing the cyberstorm: essential security strategies for medical devices

As medical devices become increasingly vulnerable to cyberattacks, the integration of robust security protocols and cutting‑edge AI‑based cybersecurity solutions is needed to bolster resilience. By Bernard Banga.

Credit: ImageFlow / Shutterstock

Cybersecurity concerns in the medical device sector are intensifying globally, as the value of sensitive health data increases and digital personal health records become more widely available. ‘The Internet of Medical Things (IoMT) integrates medical devices for real-time data analysis and transmission but faces challenges in data security and interoperability’, explains Kulsoom S. Bughio, a research student in IoT Networks and Artificial Intelligence at the School of Science, Edith Cowan University, Australia. Roberto Filippini, Senior Risk Manager at EBG MedAustron GmbH and Teaching Assistant Professor in the Department of Bioengineering at the University of Illinois Urbana-Champaign, remarked, “Medical device manufacturers are grappling with the complexities of analyzing, managing, and maintaining cybersecurity throughout the lifecycle of their products.” This statement was delivered during the 2024 IEEE/ACM 4th International Workshop on Engineering and Cybersecurity of Critical Systems, held in Vienna, Austria. This event, organized in collaboration by the IEEE (Institute of Electrical and Electronics Engineers) and the ACM (Association for Computing Machinery), aims to advance research and innovation in the field of cybersecurity for critical systems.

Medical devices highly exposed to cyber threats

Recent statistics indicate a rise in cyberattacks targeting hospitals, placing the medical device sector among the top ten most threatened industries in 2022. The consequences of these attacks can be severe, resulting in system interruptions, treatment delays, and even fatalities in the case of compromised critical devices. According to the latest report from the Ponemon Institute published by IBM Security, the average cost of a healthcare data breach reached nearly $11 million in 2023, reflecting an 8% increase from the previous year, and a staggering 53% rise since 2020.

At least five major categories of connected medical devices have been identified as highly exposed to cyber threats. Notably, 83% of medical imaging systems, including MRI machines and CT scanners, have been recognised as being vulnerable to cyberattacks, according to a study conducted by Unit 42 at Palo Alto Networks. Furthermore, 75% of infusion pumps were found to be connected to vulnerable networks, thereby exposing patients to potential risks. Implantable connected pacemakers and ventilators also represent sensitive targets for cyber threats, with over 50% of connected ventilators failing to receive necessary updates. Cardiac monitoring devices also exhibited vulnerabilities in 30% of cases in 2023.

This situation underscores the critical importance of advanced cybersecurity protocols for securing data management systems within the medical device industry. As Zihad Hasan Joy from the Department of Finance at Texas A&M University, Texarkana, Texas, USA, emphasises, medical device manufacturers and their institutional clients must implement six essential cybersecurity protocols to enhance the resilience of medical systems against cyber threats and to protect sensitive patient data.

Six essential security protocols for medical devices

Data encryption: as of 2024, emerging technologies such as homomorphic encryption enable data to be processed without complete decryption, thereby enhancing patient confidentiality even in the event of an attack.
Multi-factor authentication (MFA): MFA is essential for preventing unauthorised access to healthcare systems and connected medical devices. It strengthens security by requiring multiple forms of identification – such as passwords, fingerprints and mobile authentication – before granting access to networks and devices.
Automatic security updates: the frequency of automatic updates has increased, helping to keep medical devices up-to-date against the latest vulnerabilities. New systems such as over-the-air (OTA) updates, deployed by companies such as Medtronic, ensure that patches are applied swiftly without human intervention.
Network anomaly detection and response: medical devices now incorporate behavioural analytics tools to detect network anomalies. These detection and response systems continuously monitor network activities to identify suspicious behaviour, intrusions or potential threats.
Network micro-segmentation: this strategy divides networks into smaller, more secure segments within hospitals, thereby limiting the ability of cyberattacks to spread from one device to another.
Next-generation firewalls (NGFW): NGFWs provide advanced protection by combining URL filtering, intrusion prevention and application monitoring, thus safeguarding connected medical devices against both internal and external threats.

Sixty companies target $1.1 billion medical tech security market by 2027

According to a recent report from leading data and analytics company GlobalData, the market for cybersecurity in medical devices is forecast to grow at a compound annual growth rate (CAGR) of 12.2% between 2022 and 2027, to reach $1.1 billion. The global medical device cybersecurity market is experiencing robust growth, driven by increasing cyberattacks and stricter regulations. Around 60 providers dominate this market, with the key players – who include Check Point Software Technologies, Palo Alto Networks, Medcrypt, CyberMDX and Zingbox – offering encryption, threat detection and device security solutions. Established firms such as Cisco Systems, McAfee and Symantec also provide tailored cybersecurity solutions for medical technologies.

These companies are enhancing their offerings by integrating cutting-edge artificial intelligence (AI) technologies, in particular deep learning, to strengthen anomaly detection and threat management in connected medical systems. ‘[AI] approaches can give more sophisticated and versatile interventions for finding out anomalies in cloud-attached medical machines’, explains Omolola Akinola from the Department of Information Systems and Analysis at Lamar University, Beaumont, Texas, USA. Manufacturers of medical devices now rely on five key AI-based technologies in their fight against cybersecurity threats:

Anomaly detection systems: these systems use deep learning, integrating AI within endpoint detection and response (EDR) solutions to improve threat detection for devices, including AI systems capable of automatically responding to certain types of attacks by filtering malicious traffic.

Network behavioural analysis: this employs machine learning algorithms alongside enhanced penetration testing, utilising AI to optimise the search for vulnerabilities within complex medical systems.

Predictive threat management systems: these systems leverage big data to provide automated and contextual analysis, implementing automated analytical systems based on correlation indices derived from cybersecurity threat intelligence reports.

AI-enhanced biometric authentication: this technology strengthens security measures through advanced biometric verification.

Automated code analysis for devices: using machine learning, this process analyses device code to identify potential security risks.

All of these recent developments demonstrate that AI and machine learning have the potential to significantly enhance the cybersecurity of medical devices. These technologies offer advanced capabilities for threat detection, analysis and response, while adapting to the specific requirements and constraints of the healthcare sector.

“We do this all virtually on the computer, so we can make the osteotomy in multiple different places to decide where the most appropriate place to do the correction is.”

From here, relevant standard orthopaedic plates are selected for use in the surgery.

Following these preliminaries, surgical guides, jigs, and plastic models of the patient’s anatomy, in this first case the radius, are 3D printed and then sterilised for use in surgery.

“We make sure that the guide fits the bone in the patient exactly the way we planned for it to fit on the plastic bone. Once we have made sure that’s the case, we secure the guide to the bone with wires, and then we do whatever the plan has been,” says Lattanza.

In osteotomy, such plans generally involve drilling holes and then making the necessary bone cuts.

The great thing about this approach, Lattanza states, is that all that needs to be done to ensure the correction has been completed as planned during the surgery is to line up those holes.

She explains: “If the bone is rotated off 90° and when we drill those holes, they’re off 90° on the bone, we make the cut then we rotate and line up those holes to put the plate on because the plate holes are straight, and that’s how we know that we’ve got the correction.”

Beyond making relatively common osteotomies more accurate, a 3D provision also allows for more complex cases to be worked upon. Lattanza relays a recent case in which a child had broken the radius and ulna bones in their forearm.

“During the time that she was growing, this deformity got ‘very 3D’, meaning it was off in the sagittal, coronal, and axial plane,” says Lattanza.

“You can’t see the axial plane on an X-ray, and if you can’t see it, you can’t correct it.”

In this case, the procedure required two cuts in the radius to restore it to normal anatomy, and one in the ulna.

“In my career prior to having the 3D technology, that’s something that is difficult or impossible to plan and to execute in the operating room, because you wouldn’t even be able to see that you needed two cuts to make it normal again,” explains Lattanza.

Lattanza is keen to add that the influence of 3D printing on preoperative planning and during surgery should not be a cause for complacency, particularly given that there remain limitations to 3D visualisations of CT scans, chiefly in that the current technology cannot show soft tissue.

“Some people think that this is kind of a phone it in now, but that’s not how it works,” she says.

“This is a collaboration between an engineer and a surgeon, and it has to be that way to get a good result.”

Once we see where those changes are, we can plan where we’re going to cut the bone.

Dr Lattanza

Astrocytes are a type of neural cell that builds the BBB, and Excellio plans to derive exosomes from them to make them even better at targeting the brain. Credit: ART-ur / Shutterstock

HCA has lodged a complaint with the ombudsman, after failing to receive information about the repeal of the smokefree law.https://t.co/uKf3dplTAf
— Health Coalition Aotearoa (@HealthCoA) February 23, 2024

Caption. Credit:

Phillip Day. Credit: Scotgold Resources

Total annual production

Australia could be one of the main beneficiaries of this dramatic increase in demand, where private companies and local governments alike are eager to expand the country’s nascent rare earths production. In 2021, Australia produced the fourth-most rare earths in the world. It’s total annual production of 19,958 tonnes remains significantly less than the mammoth 152,407 tonnes produced by China, but a dramatic improvement over the 1,995 tonnes produced domestically in 2011.

The dominance of China in the rare earths space has also encouraged other countries, notably the US, to look further afield for rare earth deposits to diversify their supply of the increasingly vital minerals. With the US eager to ringfence rare earth production within its allies as part of the Inflation Reduction Act, including potentially allowing the Department of Defense to invest in Australian rare earths, there could be an unexpected windfall for Australian rare earths producers.

10/15/2024 12:10:20