This site is intended for health professionals only

Cyber security

Cyber security
22 April 2016

Technology is playing an increasingly bigger role in healthcare and it has been of great help to patients and healthcare professionals. But safety concerns have often been raised over the use of digital devices in the NHS

Technology is playing an increasingly bigger role in healthcare and it has been of great help to patients and healthcare professionals. But safety concerns have often been raised over the use of digital devices in the NHS

Digital health is a hot topic in healthcare, offering more effective and more efficient personalised healthcare to patients and carers. Devices such as fitness trackers, heart monitors and insulin pumps connected into a medical internet of things (IoT) (a network of physical objects – devices, vehicles, buildings and other items – embedded with electronics, software, sensors, and network connectivity that enables these objects to collect and exchange data), enable us to monitor our activity, heart rate, and blood pressure. We can ask for our genome to be sequenced and interpreted, and pharmaceutical and health organisations can apply big data analytical techniques to collect and process large amounts of data. All of these can feed data into our own personal interactive health record with alarms and notifications sent to the relevant healthcare professionals.
Digital health is all about the use of emerging technologies to enable better health and care for patients and carers. It offers great potential for better self-care, more pro-active health management and faster recovery from diseases. Within hospitals, increased digitisation will decrease error rates, offer faster recuperation, and enable skilled clinicians to co-operate across borders with sick patients. Digitisation enables pharmaceutical companies to create personalised drugs based on individuals’ genomic sequences, more effective measurement of drug uptake and efficacy, and enables a closer relationship between pharmaceutical companies and patients. The increasing digitisation of the enterprise and production systems, together with improved data analytics capabilities, opens up numerous opportunities for healthcare organisations to improve efficiency and enhance patient care.

Cyber security breaches
At the same time there are cyber security breaches into sophisticated and well-managed companies by hackers, criminals and nation states. Intellectual property is stolen, confidential emails are shared publicly, and medical records used to create fraudulent new identities. Target’s data breach in 2014 involving a reported 70 million credit card records; JP Morgan Chase’s data breach involving 76 million accounts; and Anthem’s loss of personal information of its clients and employees earlier in 2015, are some of the recent major security breaches.
Information security has three key components: confidentiality, integrity and availability. Compromising information leads to financial losses and reputational damage, but compromised medical device systems could have far reaching impacts including loss of life.
 Looking at it another way, cyber security breaches into medical devices potentially impacts personal information, but of far greater concern is integrity and availability. It is of greater concern if a patient’s recorded blood type is changed (integrity) rather than it being divulged (confidentiality).
Over the past six months the US Food & Drug Administration (FDA) has issued two advisories on cyber security for certain products. There are two types of concern:
1 Hackers accessing a medical device through poor access security, such as the ‘back door’ used by the supplier to update any software, and then gaining access into the hospital network. Our researchers see that medical devices can be discovered on hospital networks from internet searches, which hackers may well exploit in the future.
2 The more serious relates to security vulnerabilities in medical devices. Vulnerabilities were recently found in certain Hospira infusion pumps. This led to the FDA issuing a safety advisory in July 2015. Unauthorised users could access the pumps over the hospital network and then control the infusion pump and modify the dosage it delivered. This could potentially lead to over- or under-infusion of critical patient therapies.
One key problem is that medical devices may use technology designed as specialised and isolated systems and not built to withstand cyber security attacks. Vulnerabilities in the design or implementation of a medical device, such as an insulin pump, or in anything interconnected to such devices could result in loss of device integrity and potential harm to patients if they are exploited in a cyber-attack. As devices in hospitals become increasingly connected, it can only increase the risks of unauthorised users gaining access into operational hospital systems, through insecure access points and poorly designed medical devices.

Managing the risk of cyber security in medical devices
Risk is an inherent part of any organisation, and cyber risks are only one aspect of this. In KPMG’s (Klynveld Peat Marwick Goerdeler) experience the most robust approach to addressing cyber security risk is to understand who is targeting the organisation, what they want, the potential impact and the controls in place. This approach allows operators and managers to balance disruption against the cyber risk while, at the same time, providing assurance that interconnectivity between medical devices and the enterprise will not compromise core operational processes. The key is to place appropriate focus on both the strategic and the tactical elements. The tactical elements are important to deliver cost savings and add value, but the strategic elements are usually even more important to ensure sustainable investment.

Medical device regulation
There are a number of regulations around medical devices issued by the EU, the Medicines and Healthcare Products Regulatory Agency (MHRA) in the UK and the FDA in the US. The MHRA has issued draft guidance over medical devices to take into account recent developments in apps. This uses the EU Medical Device Directive’s definition of a medical device as being used for the purpose of:

  • Diagnosis, prevention, monitoring, treatment or alleviation of disease.
  • Diagnosis, monitoring, treatment, alleviation of or compensation for an injury or handicap.
  • Investigation, replacement or modification of the anatomy or of a physiological process.

The US organisation, the FDA, responsible for health safety is working closely with the manufacturers, healthcare providers, security researchers and other regulators, to ensure that medical devices have secure design and development throughout their life cycles.

Commissioners’ role
So, how can commissioners gain assurance that there is appropriate security over medical devices?
A first approach for commissioners could be at a local level where the team responsible for gaining assurance over healthcare providers could request information from the providers in a similar way to gaining assurance over other patient safety risks. Suitable information could include:

  • Independent assessment of cyber security of medical devices, including patch management processes, by cyber security specialists.
  • Verification of conformity with EU regulations over medical devices.
  • Assurances from medical device manufacturers that the device is cyber-secure.

The audit committee at the commissioner may also request assurance over the safety and cybersecurity of the medical devices. This would be fed into the commissioner’s risk assessment and be reported back to the board.
In reality though, the health economy is increasingly disparate. Contracts for provision are made to numerous small and large providers: some health, some private sector, some third sector, and some social enterprise.
The commissioner landscape is also very disparate with services commissioned by clinical commissioning groups (CCGs), NHS England and local authorities, and some commissioners are very small with less than 30 staff. Even if such assurance was requested of providers, there is often no one with sufficient experience and time to review this information, especially from all these providers.
A key point is that the national assurance by NHS England doesn’t mention the requirement for this, and so with commissioners running ever leaner, they will focus on the ‘must-dos’ from NHS England.
A second approach for commissioners could be to rely on national assistance in getting assurance.
1 Commissioners rely on the NHS national standard contract locally agreed schedules, particularly quality. Contract staff, usually outsourced to commissioning support units (CSU), monitor provider information against contracts and use contract levers if the performance doesn’t match. The national contract presently only focuses on the device’s compliance with the Information Governance toolkit with no other focus on the cyber security of the devices. The national contract could be updated to include effective and appropriate cyber security in medical devices.
2 As a second line of defence the commissioners could rely on the provider’s self-assessment on the Information Governance toolkit. More could be included into the provider requirements on digital health and cyber security which could be provided to the commissioner.
3 The commissioners also rely on the Care Quality Commission’s (CQC) and Monitor’s assessment of providers. More could potentially be done with these organisations giving assurance medical devices are safe and secure.
Finally, we’d expect the MHRA to play an increasing role is issuing standards and regulations around their security expectation of medical devices, in a similar way to the FDA in the US. These standards should state their expectations that devices are designed and developed to be cyber secure throughout the product lifecycle and that vulnerabilities are automatically and proactively disclosed. Although the current risk of a security incident may be unlikely, the impact on an individual patient could be severe.

Caroline Rivett, information protection for digital health director at KPMG.

Want news like this straight to your inbox?

Related articles