Preventing cyber attacks on medical devices

At the end of July 2017, it was announced that an American medical device cyber risk assessment platform - the World Health Information Security Testing Lab - known as WHISTL will expand to the UK by the end of 2017.

This announcement followed the global ransomware attack of the UK NHS online systems in May 2017 which increased concerns about cyber threats to both medical devices and healthcare environments.

WHISTL

WHISTL has already been launched by the Medical Device Innovation, Safety and Security Consortium (MDISS) in the US and focusses on testing multi-device critical care environments such as medical operating theatres, hospital intensive care units (ICUs), and emergency rooms.

In the US, WHISTL comprises of a federated network of independently owned medical device security testing labs operated by MDISS-member organisations such as:

• Medical device manufacturers
• Healthcare companies
• Technology firms
• Universities

MDISS WHISTL will be operational by the end of this year in the UK, New York, Indiana, Tennessee, California, Israel, Finland and Singapore.

WHISTL focusses on assisting hospitals, medical device manufacturers and tech companies to:

• Identify medical device vulnerabilities
• Mitigate medical device vulnerabilities
• Provide educational awareness on sharing device security
• Share solutions for protecting against medical device vulnerabilities

Any medical device vulnerabilities will be reported to medical device manufacturers and to the National Health Information Sharing and Analysis Centre (NHISAC)- MDISS Medical Device Vulnerability Program for Evaluation and Response.

Given that research to date has already revealed that life-sustaining medical devices such as pacemakers can be cyber attacked remotely, it understood that the WHISTL researchers will initially be testing the security of physiologic monitors such as heart and respiratory monitors, which are most frequently used in ICUs.

New EU medical device regulations

The timing of the imminent introduction of WHISTL to the UK, dovetails well with the start of the three-year transition period for the European Medical Devices Regulation (MDR) and the In Vitro Diagnostic Medical Devices Regulation (IVDR), which began on 25 May 2017.

The key objectives of these new regulations are to:

• Ensure EU legislation adapts to the substantial progress in science and technology over the last 20 years.
• Provide EU users of medical devices with a consistently high level of health and safety protection.
• Provide fair and free trade of medical devices across the EU.
• The lengthy new regulations will introduce numerous new changes, including for example high-risk devices being subjected to a far stricter pre-market scrutiny and the introduction of an EU database of medical devices with a sophisticated unique device identification traceability system.

Implications for insurers

In light of these new developments, insurers of medical device manufacturers and healthcare companies should ensure that their insureds:

• Take full advantage of and seek to actively participate in WHISTL, once it is has been introduced into the UK, by the end 2017.
• Actively, implement ways to reduce the likelihood of cyber security incidents e.g. via continual review of product and software designs and the monitoring of network operational security.
• Consider and implement both internal and external procedures to provide a good incident response in the event of a cyber-attack.
• Seek to keep up-to-date with and comply with relevant new EU regulations, as they continue to evolve, such as the new MDR and IDVR.

Related item: Technology, innovation and cyber risk in the NHS

Read other items in the Healthcare Brief - November 2017