The number of devices connecting to the internet or other networks is growing exponentially. This revolution has resulted in an increase in the number of connected medical devices with more and more people getting these health devices in their home, like blood pressure or blood sugar machines. Even the data from a bathroom weight scale can now be transferred to the cloud, and interpreted by a clinician at a remote location.
The development and rapid evolution of medical devices comes with new challenges for patients, health-care providers, and device developers. Like any other connected device, medical devices are vulnerable to cyber threats and much is at stake. For example: a breach could compromise patient data and affect the performance of life-critical devices, exposing patients to safety issues.
In this context, the expertise from researchers at the National Research Council of Canada's (NRC) Medical Devices Research Centre was used to publish, in 2019, a technical report: "Cybersecurity for medical devices: recommended best practices during design, development and deployment" in collaboration with Health Canada, the government agency responsible for the regulation of medical devices, and the Canadian Centre for Cybersecurity, which advises Canadian industries, businesses and citizens on how to protect themselves online. With its understanding of industry needs for rapid rates of innovation, as well as government needs for maximizing public safety, researchers were able to bridge the gap between the stakeholders involved in the report.
Best practices for medical device companies
The report describes cybersecurity-related best practices for medical device companies to consider during the pre-market design and development phases.
"We have the idea that all medical devices are made by huge international companies that have an incredible cybersecurity staff on hand to look after these things, but that is not really the case. I would say that the average medical device company in Canada employs less than 25 people," said NRC officer, and lead of the report, Richard Bernhardt, when explaining the main motivation behind this study.
The report also examines a research platform for remote patient monitoring, developed by the NRC's Simulation and Digital Health team called bConnected. Richard Bernhardt and the study's 2 other co-authors from the NRC, Dr. Di Jiang, Research Officer at the Medical Devices Research Centre, and Danny D'Amours, Director of Operations at the Digital Technologies Research Centre, used bConnected to illustrate best practices for the community.
Recommendations and advice
When staying in a hospital-like environment, it would be advisable for patients to be aware of the ease with which the devices could be tampered. "Medical devices are deployed in public spaces, in hospitals, where their access is easy. It is possible that someone with malicious intent could get into these devices," warns Mr. Bernhardt.
To date, there has been no demonstrated incident of a cyberintrusion resulting in patients being physically harmed. This report helps raise awareness of such cyber dangers, and ultimately guides hospital administrators, health-care providers, and device developers to better protect connected medical devices against cyberattacks.