Cyber security threats in medical device networks are evolving to become more sophisticated - risking patients' lives - but machine learning and other types of AI might not be the best fix
Healthcare technology takes a step forward every day – and while it may improve patient lives, it also raises concerns over the vulnerability of medical device networks.
It means concerns are rising regarding the threats to one of the core priorities of every health system – patient safety.
This week, the US’ Healthcare and Public Health Sector Coordinating Council (HSCC), a private-public work group of healthcare organisations including the Food and Drug Administration (FDA), posted its new recommendations for managing the security of medical devices.
It coincided with America’s Data Privacy Day and the UK’s Data Protection Day, with industry and regulators focusing their attentions on the security and privacy of medical data.
We speak to businesses about how the industry can equip systems better and find out why using artificial intelligence to step up security might be a mistake.
How medical device networks become vulnerable to cyber-attacks
Medical devices should be secure in their use when connected to the organisation’s internal network.
Being linked to patient lives, there is pressure on operators to ensure these data exchanges are not disrupted by criminals in cyber-attacks.
Ben Ransford, co-founder and CEO of Virta Laboratories, explains how new vulnerabilities and risks to digital systems develop as medical devices and technology are becoming sophisticated and smart.
He says: “The biggest risk stems from the fact that specialised devices are becoming ever more inter-operable with the rest of the world.
“Every time you integrate a device with a new environment, you’re increasing its attack surface and potentially inviting misuse.
“For example, if a medical device joins a home Wi-Fi network, it might come into contact with a hacked smart TV and an unpatched consumer-grade router.”
Supporting this point is Axel Wirth, a distinguished technical architect for Symantec Corporation.
He says: “More connectivity offers more opportunity for an attack. Through all the devices in use, we have become more dependent.
“It is not just the device anymore but its ability to share data with other systems.
How to secure medical device networks
It is imperative for users to understand what constitutes a secure cyber-security infrastructure and package, says Mr Wirth – who believes cyber security education and training should be a priority for health providers.
He provides protocols often ignored by companies but claims to be vital to consider and incorporate in to their system.
“The first step is a risk-based approach,” he says. “Find out which device has the highest risk, can have the highest impact and requires the highest level of protection.
“On the technical side, networks should be segmented with the highest risk devices having the ‘highest degree of separation’.
“Patches should be deployed as quickly as possible.
“Any user or technician using or maintaining a device should have at least basic security training.
“Use of USB data carriers should be restricted and any USB drive in circulation should be scanned for malware.”
Healthcare IT systems and hospitals need a guiding principle when embedding security into their products as early detection enables swift response.
It is necessary to take proactive measures to mitigate security risks, such as network segmentation, patching and removing devices from networks.
Patches are a set of changes to a computer programme or its supporting data designed to update, fix, or improve it.
While acknowledging there are practical limitations, Mr Wirth says organisations should ensure healthcare IT systems follow the best practices in data and network security.
He adds: “A notorious problem with medical devices is patching.
“Typically, patches need to be validated by the manufacturer, then manually deployed at times when the device is not in use.
“With normal computers and servers, we have tools and processes to automatically deploy patches within a few days, whereas on the medical device side this can take weeks or even months, leaving a significant ‘window of vulnerability’.
“Medical device manufacturers have to change their approach, too.
“They need to design security, and security processes, into new devices from the beginning – they need to be more secure and easier to be maintained.”
Impact of artificial intelligence in medical device networks security
The integration of AI and machine learning-based cyber-security is a trend being widely adopted in medical technology.
There’s no doubt AI can combat healthcare data security challenges and help protect hospitals and medical device networks by using algorithms to predict when issues will arise, work out fixes and quickly respond to new and evolving cyber threats.
However, as more machine learning are utilised to connect or take over medical device networks, the AI system can actually work against security systems due to incorrect predictions – resulting in the risk of serious consequences rising.
Mr Wirth explains: “Because machine learning systems are not explicitly programmed to make decisions based on a defined algorithm, it makes it difficult to determine if the result or diagnosis is correct.
“So, in both healthcare and cyber security, adversaries could exploit this and deliberately change the outcome of the AI system through model extraction or poisoning.
“That would be very difficult to detect as we would not know what the normal or correct outcome should be – or to decide whether the output has changed for valid reasons, an error or a malicious attack.”
Virta’s Mr Ransford boldly labels the concept of AI as “over-hyped” and a “mistake.”
He says: “Organisations want very badly for AI or machine learning to be a magic bullet for security so they don’t have to spend money on security staff.
“But staking your security posture on something you don’t really understand is a mistake.”