Connect with us


Cybersecurity, the need for data and patient safety with IMDs

It is essential that all stakeholders, come together on a common platform to address cybersecurity concerns in the area of implantable electronic devices.

Since more than a half century, cardiac pacing and defibrillation represent a field in constant evolution, and have shown some great technological advances from conception to methods of insertion. Cardiac defibrillation also underwent some great technological advances in a relatively short period of time, since the first implantable cardioverter defibrillator (ICD) implantation in 1980, and the first biventricular pacing report in 1994.

Technological advances in microprocessors, high-density battery designs, and biomedical engineering in the last 2 decades have brought major changes to the way we monitor and treat patients. These effects have been felt mostly in the field of cardiology, specifically in the realm of cardiac implantable electronic devices (CIEDs), which include 2 broad categories: permanent pacemakers (PPMs) and implantable cardioverter-defibrillators (ICDs). PPMs and ICDs differ in programming and functionalities, but at the heart of the technology is a programmable platform, a lithium ion or other type of battery, a capacitor, and a pulse generator. With the advent of the Internet of Things (IoT), these devices can be used to remotely monitor patients through cloud-based servers that provide data to the physician or healthcare team.

Several studies have shown that remote monitoring of these devices improves patient outcomes, survival, and hospitalizations, and is being recommended as standard of care in multiple consensus statements and guidelines. However, with the increased dependence on IoT comes a risk in the form of cybersecurity lapses and possible attacks.

The devices are vulnerable to radio frequency (RF) cyber-attacks. Besides, they communicate with medical equipment whose telemetry capabilities and IP connectivity are creating new entry points that may be used by attackers. Therefore, it remains crucial to perform a cybersecurity risk assessment of the device and the systems they rely on to determine the gravity of threats, address the riskiest ones on a priority basis, and develop effective risk management plans.

“Defibrillators are central in any advanced or even basic ICU. From a public health standpoint large scale deployment of more affordable, portable and automatic AED’s/defibrillators in public places, residential and commercial complexes and public areas should be done. BLS Education should be made mandatory for all.”
Dr Umesh Gupta
Chairman, Umkal Hopsital

CIEDs-A case study. The CIED ecosystem comprises the implantable device; an external programmer, a home monitor, the cloud server and proprietary software/hardware used by the physician’s office to access patient data. The flow of data and information between these devices occurs via various open source and proprietary protocols that can be exploited. Detailed information on the hardware and software architecture is difficult to obtain due to the proprietary nature of such devices, but a basic understanding of the devices can be formulated based on information gathered from patent documents and reverse-engineering efforts of cybersecurity experts.

The CIED communicates with the home monitor and external programmer using either short-range (0–10 cm) inductive coil telemetry (ICT) with a frequency band of 0–300 kHz or long-range (0–200 m) radiofrequency (RF)-mediated telemetry with a frequency band of 402–405 MHz. The latter frequency band, also known as the medical implant communication service (MICS) band, initially was allocated by the Federal Communication Commission. Because the MICS band is shared with devices utilized in metrological services, its use has been normalized to avoid interference. The devices use interference mitigation techniques such as listen before talk to determine the least interference channel and use adaptive frequency agility to transmit on the least used channel.

Although the signal transmission is governed by well-documented international protocols, the same does not hold for device authentication. Existing regulations define good practices but are not binding on manufacturers. Moreover, due to the limitations imposed by CIED size and design, use of resource-intensive cryptographic practices, such as asymmetric cryptography, is difficult. The data collected by the home monitor and the external programmer are transmitted to the cloud server and further relayed to the physician’s office over the Internet using a virtual private network (VPN). Unfortunately, there is a threat of the transmission being hacked during all stages of the flow of information. Per present guidelines, the CIED cannot directly interact with or download firmware from the cloud server. This is accomplished only through the external programmer at the physician’s office using RF telemetry or ICT. However, the RF transmission can be intercepted using a software-defined radio (SDR), and then sensitive data could be viewed or malware implanted into the device during firmware update.

Cybersecurity is a collaborative effort among device manufacturers, regulatory bodies, professional organizations, physicians, information technology (IT) security experts, and, last but not the least, patients. The cybersecurity aspects must be incorporated during the design phase of the device, as resource constraints on computing and cryptographic algorithms need to be tackled.

Device manufacturers
Device manufacturers should be cognizant of cybersecurity threats during the device development phase. Use of the latest OS, healthy coding practices, and integration of firmware that can be updated at later dates are some of threat mitigation steps that can be followed by manufacturers. There has been increasing criticism by IT security experts and patient advocacy groups regarding the use of proprietary and black-box algorithms and codes by device manufacturers. Manufacturers should use open source OS and make their source code public. These steps help in effective debugging of codes and timely reporting of security threats that can be acted upon. Encryption of patient data and secure transmission protocols should always be used and should be part of the device development process.

A more robust collaboration effort across the vendors is required to jointly develop standards that improve and promote herd immunity.

It is essential that all stakeholders, including medical device manufacturers, federal regulatory authorities, patients, patient caregivers, and healthcare providers appreciate that any medical device connected to a communications network (for example: wi-fi, public or home Internet) may have cybersecurity vulnerabilities that could be exploited by unauthorized users. Security should be considered at the design phase and carried forward to the implementation and post marketing survey phases.However, the increased use of wireless technology and software in medical devices can also offer safer, more convenient, and timely healthcare delivery.

Copyright © 2024 Medical Buyer

error: Content is protected !!