Meeting cybersecurity challenges with strong relationships and systematic processes
In 2007, the then US vice-president Dick Cheney had the wireless feature of his pacemaker removed, amid concerns that a terrorist could assassinate him by hacking into the device. Today, virtually every medical device is connected to the internet and Australia’s 2020 Cyber Security Strategy identifies the health industry as the highest target of cyber security incidents after governments and individuals. There is an imperative for everyone involved in the MedTech industry to ensure connected devices are safe from a cyber-security perspective.
MedTech cyber security can be viewed from a lifecycle perspective including everything that is done leading up to the product’s launch (pre-market) and everything that is done while the device is in operation (post-market).
During the design and development phases of a product, a lot of information is generated – from engineering designs to clinical trials results. This information is commercially valuable to state actors and competitors, as well as being attractive to criminals who may be targeting individuals. Post-market, there is an increasing range of risk scenarios arising from devices being compromised in use.
The ISO 14971 standard on risk management and hazard analysis, provides a generic approach to identifying and addressing all risks, including cyber security. Identified risks feed back into the user needs for the device. Typically, all users and use-cases of the device are identified and for each of these, the range of possible risks are analysed. However, the identification of cyber-security risk is only as good as the knowledge of those identifying them.
Everyone recognises that more education is needed and there are now many key organisations in Australia addressing the field. The federal government’s Australian Cyber Security Centre (https://www.cyber.gov.au/) is the focal point in Australia and provides a range of guidelines for organisations.
Of particular interest is the IoT Code of Practice: Guidance for Manufacturers. This document provides a set of principles covering passwords, vulnerability disclosure, updates, storage of credentials, personal data protection and deletion, minimising attack surfaces, communication security, software integrity, outage resilience, monitoring of telemetry, installation and maintenance processes, and validation of input data.
In the medical space, the Therapeutic Goods Administration (TGA) has produced specific guidelines for developers of devices with software and electronics components (https://www.tga.gov.au/book/export/html/874778).
Unfortunately, there are now so many cyber security frameworks in place that it is difficult to keep track of them. At the 2020 Cyber Security Forum today organised by MTAA, the CEO of the Australian Cyber Security Network (AusCyber) Michelle Price said her organisation had identified some 175 different cyber security standards that product developers are meant to adhere to. AusCyber is now working with Standards Australia and the International Standards Organisation to harmonize the plethora of standards.
The real challenge for Cybersecurity is not necessarily a technical one. Clients of Genesys rely on our expertise to ensure the connected devices we develop to be secure. However, hackers are increasingly sophisticated in the way they target systems. For example, with the explosion of people working from home during Covid lockdowns, there has been a corresponding rise in hackers targeting individuals to gain authentic remote access to an organisation’s network.
To move beyond technical solutions, we need strong trusted and collaborative relationships with all participants in a project to ensure everyone is doing the right thing from a cyber security perspective. This relationship needs to be backed up by robust, systematic processes for identifying all possible cybersecurity risks.