Healthcare devices play an essential role in tracking and managing patient’s safety. However, the complexities of healthcare devices often remain ambiguous due to hardware, software, or the interoperable healthcare system problems. There are essentially two critical factors for targeting healthcare: First, healthcare data is the most valuable entity on the dark web; and the second, it is the easiest to hack. Data pilferage has become a major hazard for healthcare organizations as the hackers now demand ransom and threaten to disclose the sensitive data if not paid within the stipulated timeline. The present study enlists a thorough research on the data violation cases and the possibilities of data infringements likely to happen in the next five years. This paper discusses about the healthcare device, security of healthcare and year wise security flaws. Healthcare data breaches analysis and forecasting of data breaches and causes of breaches also discussed. Open research challenges and future directions for healthcare industries also discussed.
As per the very recent article published by Forbes magazine on 24th March 2020, when the entire world was fighting with COVID-19 and all the research labs were busy in developing a vaccine for this pandemic, then the attackers hit on a vaccine testing center (
Mostly implantable, wearable and onsite healthcare devices regulator by the controlling message programs over the network. Healthcare device and controlled device send messages to each other than the attackers trespass over the networks. Most of the implantable and wearable devices have no encryption, authentication and integrity checking mechanism so these networked devices easily come under the attackers attacks [
FDA’s Safety Commutation has identified
Generally, publicly available software tools improve the quality of data available for health professionals and users. Healthcare devices must be enabled by high quality software only because the inaccurate outputs can harm the patients’ life. Moreover, it is imperative for the developers to religiously adhere to the stipulations of FDA because in case of any aberrations in the device, the developers are the first to be questioned [
Security challenges continue to beset the software based healthcare devices because the developers cannot identify the possible vulnerabilities at the time of the development of software. However, the hackers can easily trace these susceptibilities in the devices [
The contributions of this research endeavor are as follows: Section 2 of this paper discusses the security of healthcare devices and its components. Section 3 details the history of the healthcare device and problems associated with them. Healthcare data breach analysis has been discussed in Section 4. Security challenges have been discussed in Section 5. Healthcare device cost analysis and maintenance cost forecasting has been done in Section 6. Our study has predicted the settlement cost and the maintenance cost because the cost is directly dependent on the economic feasibility of the healthcare. Discussion and forecasting data comparisons results analysis has been described in Section 7. Section 8 concludes this study.
A Healthcare device is a combination of hardware and software. These are important issues from the perspective of security. The World Health Organization (WHO) defines healthcare devices as, “
The security of the healthcare device is a critical issue because the device processes any communication by running software on a specific hardware and by controlling the sensors. Major security threats happen when the devices sense wrong values because if the device reads an erroneous value, it will perform the wrong action. Malicious and unintentional changing of data can affect the safety in critical stages, thus endangering the patient’s treatment. FDA classifies the healthcare device safety in three categories of high, medium, and low risk. Devices like Smartphones, Hospital PCs are also facing security issues but these devices are not considered as healthcare devices by WHO and FDA. Nearly 78% of the healthcare devices are unsecured [
The main reason for increasing data breach instances could also be attributed to the lack of requisite expertise and skilled professionals who can design mechanisms to contain malicious invasions. In addition, it is a huge challenge for the existing 7000 healthcare device manufacturers to find highly trained security practitioners. Already, nearly 80% of the manufacturers have less than 50 workers [
Any healthcare device requires few important components which makes the healthcare device useful. Without these three components, a healthcare device is like a box. Hardware is the most important component of the device [
Software plays an important role in the functioning and the usability of healthcare devices. Without software, healthcare devices cannot perform the task and process on the data. As much as the software is useful for the device, it is also harmful [ Premarket Submissions Off-The-Shelf Software General Principle of Software Validation Mobile Marketing Association (MMA)
All these steps are checked by the organizations before marketing their healthcare devices. A variety of software tools is available which can improve the quality of diagnosis and treatment. Affected software may harm the device and the health of the patients. FDA hopes that more devices that have the vulnerabilities related to the genuine IPnet Software will be identified soon to help the manufacturers of healthcare devices. IEC62304 is the standard of healthcare device software development. IEC62304 provides the guidelines for software development lifecycle and classification of software safety of healthcare devices.
Since most of the devices are controlled by the software, even a minor flaw or a malfunction can be detrimental to the patient’s treatment. Healthcare device software safety classification has been segregated by IEC62304 in three classes: Class A; Class B; and Class C [
Hardware of the healthcare device is the cabinet body and internal microcontroller chips. Micro controllers become programmable chips. Attackers can MEDJACK the device by hiding the malicious circuit for stealthy attack vectors. Attackers can perform different types of attack or MEDJACK on devices like backdoor login, password access, and wrong configuration. Hardware of healthcare devices is also important for ensuring the confidentiality of the software. Malicious hardware can be planted in the device or through the other communicating device. For instance, the web server attacker can install malicious hardware because healthcare data is stored in the web server. This type of hardware tampering can lead to faulty diagnosis and treatment, thus risking the patient’s life. Moreover, maintaining consistent security of the hardware of IoT based controlled devices like CT-Scan, MRI machine, Insulin Pump, etc., is even more imperative because such devices are usually associated with the treatment of chronic diseases.
These devices also contain more sensitive hardware parts like thermal scanner, body scanner and camera. Camera and scanner are extremely vulnerable targets because the attackers can install the malicious part on the camera and scanner. The invasion takes over the control of the device and the reported data would either be corrupted by noise or get distorted. The designing phase of hardware is more time consuming because it involves the complex processes of material selection. After designing the hardware, testing is yet another time taking process. It may take one week to test a given hardware. If the tested device fails in the performance or in testing, then the hardware engineers go back to the drawing board to improvise upon the same processes. Only the thoroughly scrutinised device design which complies with the set standards of efficacy and high end performance goes to the next phase of hardware development. Hardware and software are two sides of the same coin in the healthcare device.
Security issues can also occur because of wireless communication over the network, unauthorized access of the patient’s data, trespassing over the network to poach on the patient’s health records. Data is continuously travelling over the network, so attackers can infringe upon the network any time. FDA provides the guidelines for URGENT11 in context of the third party software component which can be the cause of network trespassing. URGENT/11 Vulnerabilities occur in IPnet, IPnet is a third party software communicating component which supports the communication between the two devices [
The history of healthcare devices can be classified in four periods. The first period was more crucial and complex for healthcare devices because of a complex system and accidental failure of devices. The second period started with implantable devices. The third period started with the unauthorized access which could harm the device. The last period of the healthcare device is about the cyber threats to the security of healthcare devices. Combining all above conclusions of software controlled devices and threats of device security arises, patient data privacy also. We have discussed the healthcare device, Polymerase Chain Reaction (PCR) which is used for thermal testing of COVID-19 patients. However PCR also has its limitations, and there could be a possibility of 1% error in the results. Thus if we have tested 100 cases, then this machine automatically produces 1 erroneous result (means if we test 100 healthy persons, then this device will find one COVID-19 patient automatically). Accidental failure of the devices has been a recurrent feature right from their invention in the 1980s to present. Accidental failure is an unintentional event and could be hardware failure, software failure or the network failure. When data is travelling over the network, a sudden network error can result in the loss of the data. Software errors can also corrupt the data and abort the processing. Hardware failure can happen because of the power failure or storage device failure. All the four periods of healthcare device have been further explained below:
Healthcare comes under the highest risk technologies in the whole world. Ironically, the advancement in healthcare is also the reason for newly developed threats on the safety and security of device. Most of the mishaps occur due to the accidental failure of healthcare devices like software failure or the hardware problem.
From June 1985- January 1987, six patients took the overdose of radiation because of the defective Therac-25. The cause is yet to be identified and could have been the user’s fault, untrained healthcare staff or the wrong code of the software.
On November 13, 2002, a researcher accidentally flooded the data over the network of Beth Israel Deaconess Healthcare Centre (BIDMC), this is the reason of wetting for the data access of centre. Sadly, the network recovery was only based through the network. The Healthcare centre resorted to four days of paper work until the problem could be resolved. The fault occurred due to software failure which was directing the traffic on the network.
In the 21st century, there were several changes in the design of healthcare devices and the implantable healthcare devices (IMDs) were introduced in the USA. The arrival of IMDs raised the security and reliability of healthcare device. IMDs are implanted into the human body and this creates complications in the communication between devices and doctor.
FDA had to recall 114,645 defective ICDs in 2005 when a 21 year old cardiac patient died to a faulty ICD. Investigations revealed that the death happened due to short circuit in the devices.
In June 2005, a workshop on high confidence healthcare device software and systems was conducted in Philadelphia, PA. This workshop was sponsored by FDA, NIST, NSF, NSA, and NITRD. The main purpose of the workshop was to discuss issues and challenges arising in the designing, manufacturing, certification, and use of healthcare device.
50% of the healthcare devices in the USA alone in 2005, the markets were operated by software. Such devices are vulnerable to unauthorized access or healthcare device hacking or hijacking.
In 2006, securely updating the software of devices that allowed a client to send and install updates was a challenging task. Updates of software make the devices susceptible to
Vulnerabilities in the insulin pump were disclosed by the unauthorized parties in 2011. Active and passive attacks were achieved by off-the-shelf hardware. These attacks opened vulnerability in specific insulin pumps which gave permission to unauthorized parties to “
RF shield, a novel security mechanism, is used to prevent unauthorized access. RF shield works as a proxy server for communicating with implantable healthcare devices (IMD). RF shield stops any unknown device from communicating with the IMD by stopping all other communication in the devices.
Trap X detected the Healthcare Device Hijack (MEDJACK) in
Recently, the cybersecurity experts’ attention has shifted to the cybersecurity vulnerabilities of healthcare devices. In the present era, the number of networked healthcare devices have seen a tremendous increase. Internet connected devices have lots of benefits, including online monitoring and software maintenance. However, the safety of networked healthcare devices is more critical than other devices.
In February 2012, the annual Board Meeting of the Information Security and Privacy Advisory Board (ISPAB) was organized in Washington, DC. In the meeting, cybersecurity and economic benefits of healthcare devices were discussed. The meeting aimed at coordinating with the agencies involved with the regulation of healthcare devices and cybersecurity.
The FDA issued guidelines for the management of cybersecurity in healthcare devices in June 2013, and the final guidelines were issued one year later in October 2014 [ Identification of the vulnerabilities, assets, and threats in the device’s primary stage. Assessment of the device’s functionality due to the impact of threats and vulnerabilities. Assessment of threat and of vulnerabilities being exploited. Identification levels of risk and proposed mitigation strategies. Assessment of residual risk and acceptance criteria of the risk.
The guideline also identifies the “core functionality” of cybersecurity activities from the National Institute of Standards and Technology (NIST) cybersecurity framework.
During this time-period, the security experts were involved in securing the networked healthcare devices. Security challenges associated with the healthcare device include: Hardware failures/software errors, radio attacks, malware and vulnerability exploits, and side-channel attacks.
In 2016, FDA again published final guidance for premarket healthcare device cybersecurity. Thereafter in October 2018, FDA published the draft of the guidelines for manufacturing of the healthcare device.
In September 2018, as a MDIC steering committee member, FDA supported the report developed by the MDIC. Report was about the Advancing Coordinated Vulnerability Disclosure. The main aim of the report was to encourage the police of coordination vulnerability of Disclosure to promote healthcare device security and safety.
On 30 January 2019, FDA organized the public workshop on cybersecurity management of premarket submissions of healthcare devices. The main aim of this workshop was to discuss about the newly draft guidance of pre-submission of healthcare devices.
Convened on 10 September 2019 with the intent to make FDA aware about the complexity of integrating the healthcare device security risk.
On 1 October 2019, FDA alerted the vendors, and patients about cybersecurity and possible vulnerabilities during the device connected with the network and server migration time.
On 23 January 2020, FDA organized a meeting of healthcare, faculties and staff for spreading awareness about the healthcare system and telemetry server at risk during the monitoring.
On 3 March 2020, FDA again organized a meeting of patients and vendors for awareness on SwenyTooth family of cybersecurity which may have been introduced in certain types of healthcare devices.
Our study has detailed the history of the healthcare device period-wise and year wise. Specific period and year wise events clearly explain about the risk, safety and privacy issues associated with the usability of the healthcare devices. As is evident from the pattern of cyber-attacks, most of the cybersecurity vulnerabilities cases have happened in the present period. Just recently when the whole world was fighting with the COVID-19, then the hackers were hacking the UK based healthcare facility which was helping in the CORONA vaccine testing.
According to a report published by JSP, there was a phenomenal increase of 62% in the use of network connected healthcare devices, the highest in the last five years. This figure is expected to reach 25 million now. Since, the devices and databases connected with the Internet can be easily accessed for expediting the treatment, more and more patients are now availing their services. However, with more users of the technology, the risk of cyber threats is also increasing. Though 35% of the patients expressed trust in the use of the healthcare devices, 65% of the patients had concerns about their data being corrupted in case of software vulnerabilities or data tampering.
Health Insurance Portability and Accountability Act (HIPAA) is a public law 104–191, and second privacy rule promulgated by the USA in 1996. HIPAA conducted a study on healthcare data breaches, data lost in the breaches and settlement and penalty cost borne by the hospitals. In our study, we have organized data from 2009 to 2020. Year-wise comparison of attacks shown in the
Security regulations and laws have failed to protect the patients’ data from being invaded and breached. Newly developed threats on the electronic health data require more revisions in HIPAA so as to provide effective counter measures and stringent penalties for the violators. In addition to the crisis of intentional data pilfering, there are also several other reasons for loss of data. These factors could be human error, flaws in the software, system failure, hardware failure and natural disasters. At present mail phishing is the biggest cause of data breaches in healthcare. Main challenges for healthcare device security are software threats. Through the MEDJACK, the malware attackers can access the networked devices and control the connected devices. For the safety of the device, the operating software must be consistent.
As per the report generated on 23 July, 2019, the maximum number of patients’ records was compromised in 2015 (Protenus Breach Barometer). In 2009, the total number of breaches was 18 shown in
The healthcare data breaches recently released by the Protenus in 2020 report shows that 2019 was the worst in the context of data breach episodes. A total of 572 data breaches were identified in 2019 and data compromised was 41 million. Total numbers of breaches and numbers of data compromised has been shown in
There are five main causes for the data breaches in the healthcare which are enumerated below:
Remains the foremost cause for data breaches. Hacking usually happens through phishing emails sent by the attackers for infecting the system. Healthcare data breaches have continuously increased during 2018 to 2019 and hacking episodes have grown by 108%.
Data theft is the second main cause for the data breaches. Portable devices and other lighting come under theft. The theft event personal device or data become stolen respect to 2018 in 2019 42% decrements in theft of data
Data breaches can also be initiated through
Loss and improper disposal of the old devices can also lead to data breach episodes [
The failure of healthcare devices can have fatal consequences. Hence, whenever the defects have been detected, there has been a recall of the devices to analyse and rectify the errors. Recalls are divided into three classes. Class-I devices are more risky and dangerous for life; Class-II is partially risky for health and life; Class-III devices only violate the law of agency and are not threats to the patients [
The year-wise data of ransom, settlement and penalty cost in dollars and percentage of increment and decrement has been shown in
In 2009, the settlement and ransom cost increased to 95% in comparison to 2008. And suddenly, in 2010, the settlement cost decreased by 117% in comparison to 2009. In 2011, the settlement cost increased by 82% in comparison to previous year. In all the years of settlement cost, the highest was in 2015 which was 280% more in comparison to 2014. Thereafter, in 2016, 2017, and 2020 there was 17% decrement, 47% increment and 52% decrement, respectively, in the settlement cost. Settlement cost is for data compromise and ransom and penalty on the healthcare centers and vendors by civil monetary penalty for HIPAA rules violations. Penalties imposed by HIPAA depend on the extent of violation. If the entity is unaware of the violation and makes an effort to correct, then the fine would be only $25000 per year [
Future prediction of data breaches up to 2024 has been done and depicted in
Till 31 March 2020, 50 plus breaches have been done. If the breaches will increase at this rate, they can touch our breaches predictions which is 700 plus in 2020. Till 2023, the numbers are likely to reach the count of 1377. 2024 will be the relief year for the healthcare industry because the breaches will decrease to 1240. If there are as many as 1377 breach cases, then data and cost both will be affected. Authors have used here the polynomial order 6 model (
Healthcare device security is a big challenge for the healthcare industry and vendors [
Authors have used here polynomial model (
where;
a = the intercept, x = the explanatory variable,
n = the nature of the polynomial (e.g., squared, cubed, etc.)
Authors have used here the polynomial order 6 equation for data breaches forecasting. The
The contributions of the authors in this article, the authors have done the analysis of the studies which have been done in the past besides working on a separate analysis of the breaches, settlement cost, healthcare device maintenance cost based on CAGR (Compound annual growth rate) = 5.3% [
There are several challenges and issues surrounding the functional safety, security, and essential performance of healthcare devices. These issues often arise due to the three main components of the healthcare devices: Hardware, software and network. Furthermore, the software issues of the healthcare devices include software security, network security, system and data security. In the healthcare device, malware and vulnerabilities are major issues. Issues arise with healthcare devices when a device communicates with the other device or network. Implantable healthcare devices have memory, processing power and battery power. All these features also create issues for security. Attackers mostly trying to prey on the vulnerabilities of networked devices and mainly focus on application software, database servers, and web servers.
Devices can configure and interact with other devices through the interface provided by the web servers. Mostly, web services often contain easily-susceptible vulnerabilities. Freely available hacking tools available on the internet are used by the hackers to expose the vulnerabilities and easily gain access to the device.
Mostly, healthcare organisations store patients’ personal data for their use on databases. Data can be easily accessed only by the query or structured query language (SQL). This database is highly prone to attacks by the SQL injection. Through the SQL injection, the attackers simply alter and delete all information of the patients and staff from the database.
Software contains many loopholes which make the software vulnerable. If the software has not been subjected to software vulnerability testing, then these flaws can be the source of data breach.
The three main challenges with healthcare device are:
Software security is a critical feature in keeping the security of the healthcare device intact. FDA security communication enlists URGENT/11 cybersecurity vulnerabilities which may introduce risk in healthcare devices [
Healthcare device Software development is the same as other software. For writing good and secure codes, it is imperative to train and impart knowledge to the security practitioners.
Healthcare device software contains code and third party software components. Third party software components may be the cause of vulnerabilities. Some of the healthcare devices (e.g., WannaCary, NotPetya, Orange-worm) are hacked through third party software. Patches are easily available and these patches update the software for making the device safe and secure. However, it is important to determine whether the source of the update is original or not. Confirming the authenticity of the source is an important task for safety of healthcare devices.
Hardware security pertains to the designing and maintenance of healthcare devices. Hackers can install the vulnerable hardware and get access to the device. Following are the concerns that need attention:
Data storage in healthcare devices is also unsafe; these devices require safety from internal attackers.
Most of the hardware device attacks occur at the time of maintenance, so precaution should be taken while replacing or installing any part of the device.
Internal risk always arises on data and devices. Internal risks refer to involvement of the staff for data breaches.
Security issues can arise because of wireless communication over the network. Networked connected healthcare devices play an important role in healthcare. However, the data exchanged online can be exposed to the third party vendors who can safely hack or infect the data by malware and unauthorized access. When data is travelling over the network then trespassing also occurs on the data. So making the network secure for transmission of the data is also a major challenge and the aspects that need focus in this regard are:
IPnet is the network compatible software which is used in communication of devices. Most of the networked devices are hacked through IPnet [
Network flood also occurs in the networked devices. If a large amount of data travels over the network, there can be a problem in accessing the data. This problem usually arises because of DoS attacks.
Healthcare devices are an integral part of present day healthcare services. From the patients’ imaging and diagnosis of the diseases to the treatment, healthcare devices are a key asset for the patients as well as the doctors. Since most of the healthcare devices nowadays are connected through the network, the vulnerabilities and cyber-attacks are also increasing. This paper overviews the medical device security, components and work done for security. And analyze and predict healthcare data breaches with the help of polynomial methods and find that hacking and theft events cover up to 50% of total data breaches. In our cost analysis we observe that the settlement cost is increasing year by year. This is a thinkable point why hackers targeting healthcare data. After that we have discussed the open security challenges of the medical device. Open challenges of this study will help the researchers in the research, maintenance cost prediction and data breaches settlement cost prediction also helps the manufacturing industries to focus on the technical and economical feasibility because this is the key point for the healthcare industries. The manufacturers of healthcare devices, healthcare professionals as well as cybersecurity experts must collate their efforts for inventing safer and secure digital healthcare aids for the patients.
This project was supported by Taif University Researchers Supporting Project No. (TURSP-2020/107), Taif University, Taif, Saudi Arabia.