Can Your Insulin Be Hacked? Canada’s Guidelines on Cyber Security of Medical Devices

What would happen if your bank account was hacked? Well, it is obvious you may suffer significant monetary loss in such a scenario. Now think again, what if your insulin pump is digitally compromised? In such a case, your life may be at risk.  With the advent of technology, the hacking of medical devices has become fairly easy. Consequently, cyber attacks on medical devices is no longer a plot for suspense thrillers, it has become a matter of serious concern for the government, patients, and manufacturers.

Why a Legislation on Cybersecurity of Medical Devices is required?

The Bayer Medrad is known to be the first medical device to be hacked in the US. It is believed that in the year 2017, North Korea hacked and infected medical devices and computers at US hospitals. A piece of radiology equipment which was used to enhance imagery was compromised. This ransomware attack resulted in the shutdown of machines causing monetary losses.

It is noteworthy that there have been numerous instances where hackers have targeted hospitals instead of individual patients. Such attacks target the vulnerabilities in the networks and can at times result in shut down of the entire hospitals.

Moreover, hacking of drug infusion pumps used to administer insulin, chemotherapy drugs, pain relievers, antibiotics, and nutrients can cause significant health risks. Under or overdosage of these drugs may even result in deaths. The hacking of implantable devices such as pacemakers is not difficult and therefore extremely dangerous. Fearing a possible assassination, United States President Dick Cheney instructed the manufacturer of his pacemaker to disable its wireless capabilities.

Inevitably, the cybersecurity of medical devices has become a primary concern for Health Canada. At present, the government has issued guidelines in this regard. Even though the guidelines are not enforceable, it represents the political will of the government.

Tenets of the Guidelines –

Health Canada recognizes that the medical devices operate on remote access, shared networks and complicated software. There is data exchange between medical devices which makes them susceptible to cyber attacks.

The onus of ensuring cyber-security and data protection is placed upon the manufactures. The manufacturer shall ensure the compliance of the guidelines by –

1. Secure design – The manufactures must work on secure designs from the development stage itself. They must choose designs which may maximize cybersecurity. The manufacturer may consider design controls (such as secure communications, data security, user access, software maintenance, hardware design, reliability, and availability) that are able to detect, resist, respond and recover from cybersecurity attacks.
2. Risk management – The  ISO 14971-07:2007  should be implemented for the life-span of all medical devices. The manufacturers are required to analyze and evaluate the risks involved and then establish safety controls which mitigate risks without harming the patient. Thus, ensuring a balance between cybersecurity risk management and patient safety management.
3. Verification and validation testing- The risk controls should correspond with the design requirements. Cybersecurity testing is required to mitigate cyber risks. The UL 2900-1:2017 and UL 2900-2-1:2018 standards for guidance on cybersecurity testing is recommended. Thus testing of vulnerabilities and software weakness is essential.
4. Continuous Monitoring – The manufacturers are required to demonstrate their will of continuously monitoring cybersecurity threats in their pre-market license application.

They are required to provide:

• a copy of all labels and documentation relating to the device,
• marketed history including any reported problems,
• risk management report,
• device-specific quality plan,
• reliable studies to prove that the products are secure and effective. Thus the manufactures must submit a declaration of conformity stating that the standards have been met, cybersecurity testing evidence, traceability matrix and summary of maintenance plan.

Conclusion

The guidelines lay down certain cyber-security principles and policies to be followed by manufacturers. However, the government needs to strengthen and elaborate on these guidelines. Third party annual audits must be made mandatory. Awareness campaigns must be run to help consumers make informed choices. Consumers must be encouraged to read labels, packaging and company policy regarding device cyber-security. Specific courses for other stakeholders such as hospital staff, healthcare professionals and medical representatives should be designed. Such courses would be essential to impart preliminary technical knowledge required to detect a cyber-attack. Health Canada has done a commendable effort by laying these guidelines, however, they do not have a binding effect. It is anticipated that legislation would be enacted at the earliest. Such legislation must include specific penal provisions to ensure accountability on part of all stakeholders and not just manufacturers.