Medical Device Security: Patient Safety
Updated: May 21, 2021
The Department of Homeland Security assigns direct patient care as the largest sector in the United States that includes healthcare systems, professional associations, and a wide variety of medical facilities, public health and emergency medical services. The Laboratories, Blood and Pharmaceutical sector was targeted the most by cyber-attacks, reporting nearly half of all data breaches in the sector over a 12-month period . Recently, there is renewed focus around board accountability and personal liability as a result of physical harm caused by a cyber-attack. In a study by Gartner (2020), they predicted that the financial impact to firms will exceed $50 billion by 2023 resulting from physical harm—criminal charges may result as a further consequence . Physical harm occurs when technologies (e.g., internet connected vehicles, smart home and medical devices) merge under real world conditions that may cause injury to a person. Medical devices can merge technology and biological processes together, revealing new concerns around patient safety.
Healthcare has accelerated their digital device ambitions with computerized medical devices that are standalone or integrated with wireless receivers, cloud data storage, and the Internet. Implantable Medical Devices (IMDs) started in the 1960’s where it is believed that the first insulin pump was developed for commerical use. By September 5th, 1980, the insulin pump was successfully implanted into a human body as a self-contained device without the support from a physician . Over the years, further progress was made on miniaturizing IMDs down to 1mm in size (i.e., a device no larger than the width of a coin) and implanting it through minimally invasive techniques to lessen the pain and improve healing time . Adoption continues to ramp up as costs have lowered for embedded systems and energy efficiency output has increased for use by wireless connections. The devices have sensors which enable physicians to gather a wide range of physiological values such as neural activity, heart rate, blood pressure, temperature and oxygen saturation . In some cases, its used to provide appropriate treatment such as restoring regular heart beat or even halting tremors. On-board radios are enabled wirelessly to transfer data and maintain homeostasis through monitoring without hindering the patients’ mobility or even requiring surgical procedures to access it.
There are four categories of IMDs that are in use by physicians:
Cardiac Implanted Device treat conditions by monitoring the heart’s electrical activity.
Neuro-stimulators use electrodes that are inserted around the brain to stimulate different regions.
Drug Delivery System use either a sustained or variable release of a compound over a specific duration for a prescribed therapeutic.
Cochlear Implants sit behind the ear and are embedded under the skin to provide the sense of sound for the nearly deaf.
These devices have the potential of causing an adverse event from a cyber-attack shown in Figure 1.
Note. The adverse events matrix shows the type of negative medical effect due to vulnerable IMDs .
Cardiac Implant Systems, such as pacemakers and defibrillators, are used to report status of a patient’s health and alert the physician as a precursor to an adverse event. Networked IMDs are an option for remote access and management by physicians. In Figure 2, the deployment used an implantable cellular GPRS transmitter to send health information via a data-center to analyze patient health in real-time.
A Cardiac Implant System
Note. The link between a healthcare provider and interconnected devices such as a website, data-center, transmitter and receiver .
Neuro-stimulators are used with an implant inserted in the brain with an extension wire to a device to adjust the electrical impulse. These devices require a short-range radio to maintain its power source. In a study on battery drain conducted by Fakhar et al. (2013), it was noted that replacing the IMD before end-of-life/battery drain, mitigated adverse effects caused by a device failure . The programmers would have to monitor voltage levels at the clinic, but could not investigate or manipulate through remote support . In Figure 3, the Deep Brain Stimulation (DBS) is used to treat a patient’s condition.
A Neuro-stimulator using Deep Brain Stimulation
Note. DBS is used to treat various neurological issues. The electrical stimulation can be adjusted by the neurostimulator in order to achieve the desired result. The device can also be a power source used to treat other conditions besides neurological.
Drug Delivery Systems use microchip technology for on-demand release of a compound. These devices require a short-range radio and a device that generates a low electrical current in order to dissolve a shield over the reservoir. In Figure 4, a microchip is implanted under the skin and a voltage is passed through it which holds reservoir containing a therapeutic.
A Drug Delivery System microchip
Note. This wafer thin microchip contains a therapeutic in each reservoir opening. A electrode would be over each opening that acts as a shield and would be chemically dissolved by passing a current through it. Sending a radio transmission is one way to dissolve the outer layer to release the therapeutic .
Cochlear implants use a wireless remote microphone system to improve speech recognition . In Figure 5, the system uses a short-range radio to send implant instructions to enhance the speech signal that was captured. This device has an external radio and battery.
A Cochlear Implant
Note. A Cochlear implant is fine-tuned at dBA levels for sentence recognition by the patient by stimulating the auditory nerve. Extreme dBA levels can further damage or cause interference with its intended use. dBA is a range of sound levels that are picked up by the inner ear.
METHOD OF ANALYSIS
After understanding the landscape and potential safety concerns using IMDs, a risk assessment should be performed using a management and control framework such as NIST 800-37/800-53. These frameworks help assess the likelihood and impact of a IMB to patient safety and inform the risks to the firm. While it is important to avoid data losses as part of a comprehensive risk analysis, changes have been proposed by industry experts with safety in mind (i.e., safety being added to the confidentiality, integrity and availability security principles) and to incorporate various attack scenarios with IMDs [10,11]. In Figure 6, Forrestor used 4 attack scenarios that IMDs could be potentially exposed to .
Risk Heat Map
Note. A heatmap that shows patient impact based on known threats and vulnerabilities in 2016. Attack scenarios can lead to a patient safety issue. Observe the risk severity outcome for each form of attack.
Risk Treatment Plan
If a firm has a large position of IMD assets, it is necessary to prioritize the most severe for patient safety while directing resources, time and budget to address it. In the context of each of the 4 IMD categories, the networked Cardiac Implant System has the greatest risk based on its long range capability. Also, its used for centralized administration and remote diagnostics in order for physicians to treat each patient. The interconnection between multiple systems and support staff expands the threat landscape considerably, while providing the most attack scenarios for bad actors to exploit. Compared to a Neuro-stimulator, Drug Delivery System or Cochlear Implant, these devices have a lower prioritization due its limited radio transmission of up to 300 feet and having a partially or fully closed system .
In Appendix A - CARDIAC IMPLANT SYSTEM RECOMMENDATIONS FOR TECHNOLOGISTS, provides an example of how each control category could be met by applying the protection, detection and threat response to a Cardiac Implant System. Networked IMD recommendations may differ depending on the context.
Device manufacturers also have a role to play for quality control of their products. They may receive Open Trusted Technology Provider Standard and Framework (OTT-PS/PF) certification for three levels of security :
• Tier A: Self-Assertion and Third-Party Administration;
• Tier B: Third-Party Accreditation; and
• Tier C: Third-Party Accreditation of Specific Products.
Certification will provide the firm’s assurance over manufacturer supply chain practices and increased confidence over counterfeit/tampering of the various system components. As new and emerging threats evolve, so do the security dimensions related to it. The IMDs should be continually reviewed and the risk assessment refreshed as changes to the threat landscape occur.
The innovative use of IMDs have significant impact on patient safety if not properly met with a disciplined approach to risk management. The adverse events as a consequence of a cyber-attack must be addressed if a firm is to avoid financial and/or criminal consequences. IMDs should be reviewed using a risk assessment approach that is prioritized based on severity in the following order--networked, radio, and semi-to-closed loop systems (i.e. long, medium, short-to-zero range systems) to prevent exploitation by a bad actor. Certification of device manufacturers should be obtained with assurances over their quality control procedures.
Subscribe for free to access the appendix:
 Department of Homeland Security, “Healthcare and Public Health Sector-Specific Plan,” 2016.
 Susan Moore, “Gartner Predicts 75% of CEOs Will be Personally Liable for Cyber-Physical Security Incidents by 2024,” 2020-09-01. [Online]. Available: https://www.gartner.com/en/newsroom/press-releases/2020-09-01-gartner-predicts-75--of-ceos-will-be-personally-liabl. [Accessed: 11-Sep-2020].
 S. Kobes, “Security implications of implantable medical device.,” 2105.
 T. Tokuda et al., “World’s smallest optical implantable biodevice,” Nara Inst. Sci. Technol., 2018.
 S. Tsumoto and S. Hirano, “Healthcare in Information Technology: Integration of consumer healthcare data and electronic medical records for chronic disease management,” 2014.
 C. Camara, P. Peris-Lopez, and J. E. Tapiador, “Security and privacy issues in implantable medical devices: A comprehensive survey,” J. Biomed. Inform., vol. 55, pp. 272–289, 2015.
 C. Guedes Arbelo, I. M. Martos López, and M. de M. Sanchez Guisando, “II Conferencia Internacional de Comunicación en Salud,” 2015.
 K. Fakhar, E. Hastings, C. R. Butson, K. D. Foote, P. Zeilman, and M. S. Okun, “Management of Deep Brain Stimulator Battery Failure : Battery Estimators , Charge Density , and Importance of Clinical Symptoms,” vol. 8, no. 3, 2013.
 M. S. Okun and P. R. Zeilman, “Guide to Deep Brain Stimulation Therapy Parkinson ’ s Disease :”
 A. E. M. Eltorai, H. Fox, E. Mcgurrin, and S. Guang, “Microchips in Medicine : Current and Future Applications,” vol. 2016, 2016.
 E. Schafert, “Improving Hearing Performance for Cochlear Implant Recipients with Use of a Digital , Wireless , Remote- Microphone , Audio-Streaming Accessory,” vol. 539, pp. 532–539, 2015.
 C. Sherman, “Healthcare ’ s IoT Dilemma : Connected Medical Devices Healthcare ’ s IoT Dilemma : Connected Medical Devices,” Forrestor, 2016.
 FCC Public Notice Dated July 24, 1991. .
 D. Inserra and S. Bucci, “Cyber Supply Chain Security: A Crucial Step Toward U.S. Security, Prosperity, and Freedom in Cyberspace.” [Online]. Available: http://www.heritage.org/research/reports/2014/03/cyber-supply-chain-security-a-crucial-step-toward-us-security-prosperity-and-freedom-in-cyberspace.