When was the last time a medical device saved your life, or a loved one’s life? As citizens of a highly connected world, we sometimes take for granted the incredible technological innovation happening in the medical device world. From ground-breaking surgeries that require minimal intervention by a surgeon, to medical robots, and smartwatches that warn us of any heart irregularities to prevent a heart attack– medical devices have become an integral part of our lives.
The main engine for all that innovation is software. In recent years medical devices have undergone a real revolution, with dedicated software, or embedded software, powering almost every modern medical device: pacemakers with Bluetooth connectivity, infusion devices powered by advanced operating systems, and surgical equipment that can be operated remotely are just a few examples.
Medical Device CyberSecurity Is One of the Most Complex Technological Challenges Today
Since these are critical devices with a far-reaching impact on public health, their cyber security turns from “merely” a business issue into an issue of life or death – for obvious reasons. While a security breach in a mobile app can, at most, leak information or hurt the company's bottom line, a security breach in a medical device could allow hackers to remotely take over life-saving devices and create a real health risk.
Adding to the challenge is the medical device ecosystem’s heavy reliance on the software supply chains – introducing another layer of cyber risk. Like many other industries, today’s medical device industry is reliant on a complex supply chain, where different manufacturers from different countries supply the components that make up the final device. It is not uncommon to see an infusion device used in a hospital consisting of a communication component made in China, an operating system built in Japan, and a detector developed in Eastern Europe.
This requires companies to verify the reliability and safety of each component in each product they manufacture and to make sure that the device remains secure when all the parts are assembled. Tracking the supply chain was hard enough before devices relied on software. Today, the challenge has grown exponentially, as each of these components contains complex software that can present significant risks.
Amidst Rising Concern Over Medical Device Security, the U.S. Administration Has Increased Regulation
Dr. Alan Friedman, a senior strategist, and advisor at CISA (The federal Cybersecurity and Infrastructure Security Agency) was recently interviewed in “Left to Our Own Devices”, an Israeli podcast on product and device cybersecurity. When asked about the nature of the challenge, Dr. Friedman – one of the most senior experts in the U.S. administration dealing with supply chain cybersecurity– said: "As a manufacturer, monitoring your software is critical. You can’t conduct a modern product development process if you don’t know what software you’re using. Large manufacturers from all sectors have legacy processes, different product lines, and distributed management processes, which lead to difficulty in monitoring the software on an ongoing basis."
Dr. Friedman is leading a U.S. government-sponsored process to promote "SBOM" (Software Bill of Materials) – a framework designed to help companies monitor the software on their devices, and quickly detect security risks. He explained the importance of SBOM: "If your software vendor cannot or does not want to provide an SBOM, you need to ask yourself why they are hiding the information about the software they provide, and what does it mean?” He added: “A manufacturer recently pointed out to me that if he had SBOM today, it would save him thousands of work hours a year. The ability to use advanced technology to quickly and effectively identify whether our devices are at risk or not is critical."
Dr. Friedman is not alone in his sense of urgency around this issue. President Biden recently issued an executive order calling for the "prevention, identification, analysis, and remediation" of cyber events arising from the supply chain. Another regulatory body that’s doubling down on the issue is the FDA. The organization has begun to take significant steps and issued several guidelines on the cybersecurity of medical devices in recent months, emphasizing cybersecurity vulnerability management throughout the product life.
The Israeli Angle
It’s easy to think the challenge is only relevant to large medical device manufacturers, and Israel is light years away from the problem – but this is not the case. Medical device manufacturers in Israel experience the same challenges, and sometimes even more intensely – a small company in Israel that develops individual product lines is entirely dependent on the success of those products. A security breach or denial of approval from the FDA could lead to huge financial losses or even closing operations.
The problem has also begun to trickle down to the hospitals that use connected devices. Cybersecurity flaws in medical devices could allow an entry route to the hospital network, opening the door to a ransomware attack. Although the well-publicized security breach that happened in Hillel Yaffe was caused by outdated networks, it is not inconceivable that the next incident will be caused because of a hacked device.
Either way, organizations in the medical field, from small start-ups that produce software-based devices, to HMOs, must begin to implement the policies set by the U.S. government if they want to continue operating in the global market. Cybersecurity directly impacts human life, and the sooner we understand this, the better it will be for all of us.
Written by David Leichner, CMO, and Shlomi Ashkenazy, Head of Brand, at Cybellum.