Published: 25/10/2024
Keep "hospitals at home" secure by design
IT failures can have serious consequences across sectors such as road and air traffic. This is also true of healthcare as it expands to applications like monitoring at home – based entirely on networked medical technology. Cybersecurity is critical to such applications, but processes for regulatory approval aren’t keeping pace with technology. The EU’s CYMEDSEC project seeks to improve approval processes and move toward higher security standards. We spoke with Professor Stephen Gilbert, coordinator of the project.
It is abundantly clear by now that the entire world is moving toward greater levels of being networked. The healthcare industry isn’t an outlier in this respect: the Internet of Medical Things (IoMT) was worth $47.32 billion in 2023, and is forecast to grow to $814 billion by 2032.1 Along with that meteoric growth comes heightened risk, however, as bad actors multiply. A ransomware attack on a hospital or healthcare system has a huge price. Patients’ lives are at stake in case of a failure of an IT system.
Since the COVID-19 pandemic, another scenario is increasingly in play, explained Stephen Gilbert, Else Kröner Professor for Medical Device Regulatory Science at the EKFZ for Digital Health at TU Dresden. Patients are now discharged at an earlier stage than they would have been, pre-pandemic, so they can continue their recoveries at home. Indeed, a new term, “hospital at home,” was coined to describe this situation. Patients are given monitoring devices that provide data to their medical facility, while they enjoy the healing power of being at home with their families. Such a setup has significant benefits, including freeing up space in hospitals, and a lessened risk of infection to patients themselves.
These devices have to be networked to the supervising medical facility, which opens up new portals for attack outside the facility itself. This is significant because:
- data privacy must be ensured
- monitoring equipment cannot be compromised, as this could lead to failure, or the provision of incorrect data
“The home clinic brings with it great advantages, but also risks, and the latter have primarily to do with cybersecurity,” stated Prof. Gilbert.
Raising awareness of threats to cybersecurity is crucial. Part of the coordinated response to these threats is setting October as Cybersecurity Month in many places around the world, including the European Union and the United States.
In that spirit, let us consider the cybersecurity risks to networked medical technology and their implications for medical care, especially for people being cared for remotely.
Avoid failure through security by design
The biggest factor in judging risk is the number of people using the service. In the worst case, an attack could paralyze a system completely. If there are only a few users, the consequences, while severe, could possibly be handled. But what if there are several thousand users, or even more?
In a recent article, Prof. Gilbert and his collaborators used a fictitious chain of events to model exactly this sort of scenario, studying the effects of an attack on a remote monitoring system that had numerous patients in its purview.2 The serious, life-threatening consequences of such an attack could be minimized by certain approaches, such as keeping reserve staff on standby at a nearby hospital for such an eventuality. But that negates the advantages of pursuing medical care at home!
“Medical technology in critical infrastructures and in new home-care scenarios must be designed to be so secure from the outset that emergencies do not occur at all or only very rarely,” stated Prof Gilbert. “Investments are necessary for both scenarios, both for redundancy in personnel planning and for security by design.”
Can better regulation mitigate risk?
Security by design in this context means taking cybersecurity under consideration during product development itself. “Defense in depth,” or multi-level security, is another key concept in keeping the technology safe from attack.
The patient can’t be held responsible for the security of the system, of course. It is just a fact that many of the users of home care systems may be older patients, or impaired in some way. They can’t be assumed to be willing and able to care for the security of their own systems. In addition, said Prof. Gilbert, “older, sick people tend to be more at risk from certain forms of attack such as social engineering. It is therefore ethically necessary to relieve users of responsibility for IT security. This can be successful if the technology itself is well protected.”
This security by design is only possible if cybersecurity is part and parcel of the approval processes that medical technology products must undergo. Traditionally, these approvals can take time. Given the rapid advances in digital tech, this isn’t viable. An acceleration of testing and approval processes is required, which is cognizant of new developments, and takes into account applications that are in use, or could be in the future.
The European Commission’s “Horizon Europe” program is a step in this direction. This is also necessary from a regulatory perspective, since medical technology is overseen both at national and European Union (EU) levels.
Enter CYMEDSEC
CYMEDSEC is an EU-funded consortium, made up of universities, research institutions, medical facilities, authorities, and tech companies from across the EU and Switzerland. There is a wide range of research tasks under its umbrella, which include:
- an analysis of the current state of play in medical technology regulation in Europe, with a focus on what works, and what doesn’t
- how that compares to regulation at the national level, both within the EU and outside it
- how it compares against general cybersecurity regulations such as the Network and Information Security Directive NIS-2
CYMEDSEC also looks at the risks and rewards of using networked medical technology, using the approval process for pharmaceuticals and medical devices as a reference. Operating models of connected devices are studied, along with their vulnerabilities. How can security be designed to counteract future attacks?
The next generation of medical technology is of great interest in this regard, said Prof. Gilbert. “What security considerations must be taken into account when patients procure IoMT devices themselves, or even when their smartphones are used for IoMT communication?”
Healthcare on your phone
Smartphones already have the attributes IoMT networking requires. However, a smartphone in this context will be handling data that is both private and medical. “Special security hardening must be created,” said Prof. Gilbert. “Separate security layers at the hardware and software level can ensure that the monitoring data is protected from unauthorized access.” G+D’s subsidiary secunet is part of CYMEDSEC, and works closely with other partners like the Barkhausen Institute in securing this data from attack.
The remote monitoring app must also be installed in an optimal way, with all updates being carried out when required. The needs of what will be a predominantly older patient group must be accounted for.
From monitoring to therapeutics
CYMEDSEC’s current focus when studying the “hospital at home” model is on technology used to monitor patients remotely. However, Prof. Gilbert felt future research could include those technologies that are used for remote therapeutic purposes. The risks of attacks are higher in this scenario, he pointed out, as the physical safety of patients can be directly impacted in the event of a manipulation or malfunction.
Key takeaways
- Advances in medical networking have made home care for patients possible.
- This widens the scope for bad actors to attack these networks, as patients are in their own homes.
- With smartphones being used for both personal and medical purposes, security by design becomes of paramount importance.
-
Internet of Medical Things (IoMT) market size, share & industry analysis, Fortune Business Insights, August 2024
-
Can we learn from an imagined ransomware attack on a hospital at home platform?, Gilbert, Ricciardi, Mehrali, and Patsakis for NPJ Digital Medicine, March 2024
Share this article
Don’t miss out on the latest articles in G+D SPOTLIGHT: by subscribing to our newsletter, you’ll be kept up to date on latest trends, ideas, and technical innovations – straight to your inbox every month.