In late October, the Cyber Security Agency of Singapore (CSA) announced a new Cybersecurity Labelling Scheme for Medical Devices (CLS-MD), jointly with the Ministry of Health, Health Sciences Authority and Integrated Health Information Systems (IHiS). The scheme addresses the growing need to better appreciate cybersecurity risks of connected medical devices, which have become ubiquitous not only in clinics and hospitals but in our daily life.
This came shortly after the Healthier SG initiative unveiled key features to encourage people to take charge of their health, which will result in an increased reliance on a common healthcare technology infrastructure that improves the sharing of data and information for effective and efficient healthcare services delivery.
As innovation in the sector is accelerating, we are seeing more advanced and connected medical devices coming to the market and being adopted by consumers and healthcare service providers. There is also an increased prominence of software as a medical device (SaMD) and software in a medical device (SiMD).
Medical devices will proliferate to a point where patients carry them anywhere, where they reach medical grade capabilities that address fitness and health maintenance. In view of the developments, how can we trust and be confident that those devices don’t become too invasive and protect our privacy while providing us with the intended healthcare benefits?
Multiple attack vectors
The Internet of Medical Things (IoMT) has to guarantee patient safety both in terms of the level of intrusiveness to the human body, as well as the added concerns of privacy with regards to digital records. This presents itself as an expanded attack surface, with the specific challenge that many legacy devices lack rudimentary cybersecurity capabilities.
When we consider actuation-specific devices such as pacemakers, are we certain that we can trust them and that they are safe for use as connected devices? Case studies have shown the possibility of pacemakers being compromised by external actors who could change the rhythm of the heart, causing cardiac arrest and death. While this is an extreme case, we need to take special precautions and risk management as lives are at stake.
For about two decades, hospitals have been digitising at a faster pace, connecting their systems—from X-ray machines to laboratory tools—to the cloud. Doctors are now providing remote assistance and diagnosis, even more so since the beginning of the pandemic. Cybersecurity is only being discussed more recently, as the risks of remote attacks have grown, potentially disrupting emergency services.
There are other factors to keep in mind, beyond the patient’s health. How do we protect sensitive medical data and the privacy of the patient? Healthcare records have been hacked before, in Singapore most notably in 2018. Major privacy regulations, such as GDPR in Europe, affect organisations around the world. Indonesia recently passed its privacy bill that includes extraterritorial provisions covering Indonesian citizens outside the country.
Another commonly overlooked aspect is the cybersecurity risks in the medical cyber supply chain. Today we have a blend of manufacturers, distributors, and resellers providing medical devices and integrated solutions for our healthcare service providers and consumers. How can we ensure that every player can be trusted and correspondingly, their products and services? Various threat actors are already directly impacting the cyber supply chain to achieve deep and widespread impact, starting with the source code at the manufacturer and directly compromising the individual service providers.
We have seen groups invest themselves very heavily into compromising hardware at the firmware level, which is considered one of the more sophisticated attacks. Once the firmware is corrupted or compromised, the medical device will no longer work as it is designed to. Global tensions are on the rise, and state-sponsored actors becoming more blatant in their cyber-attacks. Hacktivists have also become very competent, matching the skills of organised crime groups.
Certifications and challenges
Under CLS-MD, medical devices and their cybersecurity risks will be rated based on four different levels of testing and assessment.
The entry level covers the basic HSA requirements, while for the higher levels, consultations with the medical device industry and associations are still ongoing. This will involve additional assessments, including by independent testing organisations. While a certification model creates a foundation, it cannot solve the problem alone. Cyberattacks are constantly evolving and products need to adapt with them.
It’s not just a manufacturers’ problem—healthcare professionals have to adapt too and further their understanding of cybersecurity risks. We need to develop talent and bring specialists into the industry. Who makes the call and secures the device if it acts in a suspicious way? Who alerts the manufacturer?
Organisations are struggling with the fact that they have limited resources, while continuing to face the vulnerabilities when it comes to addressing the threat of a sophisticated well-funded state-sponsored cyberattack. Taking out cyber insurance to protect against possible damages will not fully address the issue. Insurance has also become expensive, as insurers have adapted their terms and conditions to mitigate the rising losses.
Organisations now need to consider redirecting some of their allocated funds and invest in response and recovery capabilities, and in people as well as technologies, to shore up their cyber defences.
With these cyber dangers at hand, the healthcare sector is facing tremendous additional challenges and risks. Developing a labelling scheme is a great first step. But it is only a first step in what will be a difficult and long journey for the entire industry.
The writer is vice president of advisory at Ensign InfoSecurity
Source: Business Times © Singapore Press Holdings Limited | Reproduced with permission.
IHiS has rebranded as Synapxe, the national HealthTech agency. Read more about our new identity here.