Ensuring the integrity of data generated and emitted by medical devices is a growing concern as cyber threats advance, says cybersecurity expert Kevin Fu.
"Medical devices contain sensors, and sensors are used to make decisions or provide cognizant support to the clinicians. ... We're finding that many devices do not have controls in place to ensure that they are high integrity and have high availability ... in the presence of some kind of malicious intent, like malware," he says in an interview with Information Security Media Group.
Consumer Device Risks
Similar concerns are evolving as patients seek to share health data generated by consumer-wearable health devices and applications with their physicians and other healthcare providers, Fu adds.
"There's a huge spectrum of different kinds of devices with different levels of risk. At the low end of risk, you have the Fitbits ... and the step-counters that are mostly there for informational purposes," he says. "At the high end, you have things like implantable devices that provide continuous telemetry to the clinicians," allowing device data to be collected and analyzed remotely on an ongoing basis, he adds.
"There are a lot of benefits - there are studies showing that this continuous monitoring can lead to better health outcomes for the patient," Fu notes. "On the risk side, when we start to use some of these consumer devices ... for actual diagnosis or therapy, that starts to get dicey, because the kind of safety controls you'd expect on a regulated medical device are much higher than what you'd find built into consumer devices."
Consumer health devices "were not designed to hit this much higher bar," he notes. "But I would be concerned if we find something that starts dosing drugs or emitting a shock based on the output of a consumer health monitoring sensor that was never designed to be part of something so advanced in the first place."
But even higher-end medical devices that are designed for more advanced healthcare uses raise concerns, Fu contends, because "the sensors are sort of out-of-sight, out-of-mind. ... When an adversary wants to cause harm, we have difficulty finding controls in place to mitigate those risks."
In the interview (see audio link below photo), Fu also discusses:
- How to apply cybersecurity findings by medical device researchers in academic settings to real-world environments;
- Ransomware and other evolving cyber threats facing medical devices;
- Other components, technologies and internet of things devices that pose emerging cybersecurity risks in healthcare.
Fu is associate professor of electrical engineering and computer science at the University of Michigan, where he directs the Archimedes Research Center for Medical Device Security. Previously, he served as on the faculty at the University of Massachusetts, Amherst. Fu also has served as a visiting scientist at the Food and Drug Administration, the Beth Israel Deaconess Medical Center, Microsoft Research and Massachusetts Institute of Technology Computer Science and Artificial Intelligence Lab. He's co-founder and chief scientist at healthcare cybersecurity firm Virta Laboratories. Fu was also recently named a fellow by the professional association, the Institute of Electrical and Electronics Engineers, or IEEE, for his contributions to the field of embedded and medical device security.