Due to the Covid-19 crisis, hospitals are using patient monitoring devices more than ever, Research shows that one-in-four such devices have security issues and unfortunately cybersecurity attacks have increased significantly in the healthcare the few past weeks to take advantage of these vulnerabilities.
Security and safety standards in Healthcare are supposed to be helping in these difficult times right? Why aren't they so ? and is there a missing piece in the puzzle ?
Standards Ensuring a Secure Sharing of EHR
When it comes to the sharing of Electronic Healthcare Records or EHR, there are many standards, architectural models, and practices used for cybersecurity.
The entire EHR has reached real maturity in Europe, but it still has many ways to go, as standardizing the whole sector is a complex undertaking. The European Commission has the European Interoperability Framework (EIF) to define the principles for interoperability within public services. As for the implementation level, there is the European Interoperability Reference Architecture or EIRA. On the other hand, the GDPR is clear on the requirements for protection of medical data which cannot cross international borders for example, which means that telemedicine is not authorized by default from one country to another.
On the international scale, a similar model to that of the EU is used, called Integrating the Healthcare Enterprise (IHE). It has several domains, and each has a technical framework with specific standards. IHE also has a major role in specifying cybersecurity standards that are recognized by the European Commission, the World Health Organization, and the Interoperability Standard Advisory.
The role of the IHE is to provide profiles over selected sets of specifications, to ensure technological sustainability in IT projects for the healthcare system. This means that each architecture based on IHE profiles has the same basic cybersecurity models.
The EHR sharing under IHE is tested through events called connect-a-thons. Vendors do interoperability and conformance testing in these week-long events together with other vendors and software tools. These private events are already used by the eHealth Digital Service Infrastructure (eHDSI). For example, the Conformity Assessment Scheme (CAS) was devised based on the tools from connect-a-thons.
The basis of the EHR, the data on health, is treated as a special category. Healthcare care settings, such as hospitals and private clinics, are classified as operators of essential services. It was suggested that the sharing of EHRs uses a substantial eIDAS level scheme. However, there is also a push for a high eIDAS assurance scheme.
According to the definitions of this type of private data in the USA, the health data in the form of EHRs would be assets. Software systems that share EHRs can comply with schemes and create assessment levels that are either high or substantial.
IHE, HL7, and DICOM provide the specifications driving the sharing of EHRs with a focus on securing the communication channel through security assessment procedures (e.g. testing with automated tools, pentesting, source code review). But, as of now, there are no standard procedures available addressing the products life-cycle, but best practices are followed. In addition, those exisiting schemes and regulations do not clearly deal with the lifecycle of a medical ICT product as required by Article 51 of the European Cybersecurity Act (CSA).
Are Standards Missing Medical Devices Security ?
In Europe, manufacturers must comply with the current Medical Device Directive (MDD) or the new Medical Device Regulation (MDR) 2017/745, and the following standards have been suggested as an indication and implicitly:
- ISO 62304 (secure development of medical device software)
- ISO 14971 (risk management of medical devices).
The EU CSA regulation will initially apply via certification schemes which are starting to be implemented (e.g. the SOGIS EU Common Criteria scheme) or those which are positioned as candidates on horizontal markets (e.g. Eurosmart IoT SCS , SESIP, etc.) but until then, manufacturers must demonstrate today that their products are state-of-the-art in terms of protection against cyber attacks.
This is why the following standards can be successfully used to guide manufacturers towards this state of conformity by highlighting the functionalities and security controls in a relevant way and with a risk approach:
- ISA / IEC 62443 EDSA - Embedded Device Security Assurance
- UL 2900
- Eurosmart IoT Certification Scheme
In the U.S., the FDA has defined certain cybersecurity requirements. And at the same time, it is pushing for a set of consensus standards to guide manufacturers to meet these requirements. For example:
- ISA / IEC 62443 EDSA covering the safety functionality of medical devices
- ISO 62304 (secure development of medical device software)
- ISO 14971 (risk management of medical devices)
Some countries accept medical certification / standard from Europe or the United States, while others like China have their own regulations.
Completing the Puzzle
All in all, hackers are not going to stop exploiting the lack of security in healthcare institutions and Medical devices. It’s thus essential to focus on improving the effectiveness of security in the medical industry.
Therefore, developers and manufacturers of Medical devices need to apply now the available recommended standards, to put in place security by design principles and conduct ICT product certification processes in order to fill-in the gap in the puzzle.