Medical device cybersecurity remains in infancy

Medical device manufacturers must embrace platforms that enable connected and secure devices – and the most likely candidates to make this move first are companies that have multiple medical device divisions, says Chris Ault, senior product manager for medical software at QNX Software System. Ault recently corresponded with me to discuss cybersecurity concerns, explaining that integration currently remains separated throughout the industry when what’s needed are homogenized technologies and solutions so developers can focus on medical device application design and functionality.

TMD: How are manufacturers coming together to address medical device cybersecurity?

Ault: When it comes to safeguarding medical devices and networked connections to hospital infrastructure, the medical device market is still in its infancy. We have no other option but to work together on this, but the question is who or what will be the driving force behind this movement, and what will motivate the industry as a whole to change, to improve?

Certainly, one compelling event would be a government mandate. That said, government initiatives are typically regional and therefore not global or holistic in nature. Another, perhaps preferred, approach would be the development of an industry consortium. After all, there is no defined industry standard for cybersecurity and without that, there can be no coming together.

In addition, cybersecurity can, and does, span beyond just a single medical device – it encompasses boundary-access control, safeguards within each device’s operating system, networks, and network access points. All of this equipment is developed and maintained by separate vendors, each working independently. With government mandate, or an industry consortium, safeguards can be specified for global adherence.

TMD: Is there a move toward homogenization of hardware and software platforms within the industry?

Ault: Homogenization across the industry seems unlikely, for the simple reason that the medical device market is so inherently diverse. Let’s consider the three main segments: consumer, diagnostics and therapy, and medical imaging.

Within the consumer segment, devices as simple as a digital thermometer may feature a low-end 8-bit microcontroller (MCU) and wireless module to communicate with an aggregator device such as a smartphone or tablet. Other common consumer devices include digital weight scales, blood oxygen meters, blood glucose meters, spirometers, and even blood pressure cuffs. Most devices in this group typically use low-end MCUs with no external memory and no operating system.

The next segment, diagnostics and therapy, often includes clinical-grade laboratory equipment. Here, you’ll find genomic testing equipment, automatic external defibrillators, implantable pacemakers, ophthalmologic surgical equipment for laser correction and cataracts, robotic surgery – the list goes on. The technology platform required to support low power, purpose-specific functions, such as a cardiac implant, would differ greatly from a technology platform that supports a robotic surgical arm, for example. The electro-mechanics are completely different.

Medical imaging technologies round out the third segment. Here you’ll find ultrasound, digital X-Ray, MRI, PET, CT, and nuclear imaging modalities, among others. Many imaging modalities leverage Microsoft Windows-based workstations and servers with the guts of the imaging equipment itself varying in complexity and using a variety of technology platforms.

Given this technology platform diversity and the need to serve that diversity across the estimated 8,000 medical device manufacturers, expect no homogenization industry wide. I do, however, expect to see more homogenization within corporations that have multiple divisions developing medical devices with similar functions, as this drives resource efficiencies throughout the organization, both in development and maintenance.

TMD: How do continuing mergers and acquisitions in the medical industry affect cybersecurity and platform concerns?

Ault: Large multi-nationals look for smaller companies and start-ups that have assumed much of the risk and cost of developing new innovative intellectual property. When merging or acquiring a company, the due diligence process must evolve to include cybersecurity vulnerability assessments, not just the traditional interests of financials and core intellectual property (IP). After a merger has taken place and technologies begin to interoperate, the scope of cybersecurity broadens with the scope of the overall product offerings. This harkens back to my initial point on the need for an industry consortium – with adherence to standards, this effort can be mitigated though the scope still increases with mergers and acquisitions. Offering a holistic cybersecurity approach across disparate products, even within a portfolio, can grow in complexity as products are added.

TMD: Medical devices and equipment continue to become more personalized. How does cybersecurity affect medical device designers and engineers developing of new products?

Ault: Think of the wearables market as it is today. Apple, Garmin, Microsoft, and Nike offer wellness products that are comfortable to wear and feature human interface functions that help make these products appealing. Appealing isn’t exactly what comes to mind when you think about traditional medical devices. The speed at which wellness products are converging with traditional consumer medical devices is accelerating. More wellness devices are adding in medical-centric features such as pulse oximetry and ECG as opposed to heart rate only. In a recent example, Apple’s CEO expressed interest in developing adjunct medical devices that would require FDA approval to interface with their iWatch ecosystem. These devices will be modeled after consumer cool factors and easy-to-use consumer models, while requiring medical-grade safety, performance, robustness, and even security.

TMD: Time-to-market continues to be a key driver in the medical device industry, so how do cybersecurity concerns influence the design and manufacture time of new products?

Ault: As governments and corporations come together to develop meaningful cybersecurity standards, time to market will undoubtedly improve because of objective performance results and a more standardized certification process. As platforms become homogenized within corporations, time-to-market will undoubtedly improve with less re-invention and greater efficiencies of scale.

The rise of targeted attacks against medical devices and healthcare systems became so prominent, that last year it gave birth to a new term: MedJack.

TMD: Where does QNX Software Systems fit within the medical device design and manufacture sector?

Ault: QNX is a trusted OS and technology supplier for a variety of safety-critical medical devices. With a portfolio of pre-integrated technologies, including a third-party verified IEC 62304 compliant OS, engineering services, and a broad ecosystem of partners, we allow medical device manufacturers to focus on their IP, application design, and specific value proposition. We help power a wide array of medical devices, many of which are Class III life-critical systems, including blood diagnostics, robotic surgery, ultrasound imaging, infusion therapy, patient monitoring, heart resuscitation, and CT scanning.

TMD: Final thoughts?

Ault: I can’t understate the importance of addressing cybersecurity in medical devices. The rise of targeted attacks against medical devices and healthcare systems became so prominent that last year it gave birth to a new term: MedJack. Nearly every week a new story emerges, outlining a new hack, exploiting yet another medical device. Access is commonly gained to either stored data or, even worse, hospital IT systems. We’ll definitely see medical device manufacturers, their ecosystem partners, and even government entities come together in the future to improve medical device and hospital IT security.

QNX Software Systems

www.qnx.com

Elizabeth Engler Modic is the editor of TMD magazine. She can be reached at 216.393.2064 or emodic@gie.net.