The rise of digital health technologies is promising to transform healthcare, but is bringing with it cybersecurity risks that could be overlooked, says a new report.
The Royal Academy of Engineering report – entitled Cyber Safety and Resilience – suggests that the healthcare sector can learn from other industries when it comes to guarding against ransomware attacks, data breaches and hacking of connected health devices.
Taking connected health devices as an example, the report suggests that there is a general lack of awareness in the healthcare sector on the threats posed, and even if they exist. Lessons can be learned from other categories such as industrial control systems, smart homes and assisted living facilities. The RAE notes however that connected devices have different vulnerabilities – for example a large number of people may have access to them and consequences of tampering can be life-threatening.
“There is little robust evidence or quantification of the current security risks and potential impacts in the NHS for connected health devices, or more broadly, upon which to base solutions,” the report says, adding “there is a need to start measuring the problem before solutions can be identified”.
Meanwhile, at the EU level the regulatory framework hasn’t fully taken into account the cybersecurity risks to patient safety and privacy, and there are inconsistencies with the US, which “deals with cybersecurity much more explicitly [but is] less robust on telecoms standards and privacy, which has implications for telehealth and telecare”.
In 2016 the FDA said that the threat of medical device hacking is a growing concern, urging companies to take a proactive approach to planning for, and assessing, the cybersecurity of products once they reach the market. Last year researchers from the University of Leuven in Belgium and the University of Birmingham in the UK found a way to hack into implanted medical devices, steal medical information, drain the device’s battery and even cause it to malfunction.
The report makes a series of recommendations, including that the Medicines and Healthcare products Regulatory Agency (MHRA), NHS Digital and health industry associations should work together to develop guidance in this area, and that the MHRA and FDA should join a taskforce to look into how the existing legislative framework can be strengthened.
The UK government should also strengthen cybersecurity expertise in MHRA, using part of the budget for the UK’s cybersecurity programme, while research institutions should focus on developing methods to assure the security of complex health systems.
“The UK has world-class expertise in safety-critical systems that should be transferred to connected health devices and systems,” says the report.
