You are here

Medical device cyber security information for users

Consumers, health professionals, small business operators and large scale service providers

6 April 2021

Book pagination

Appendix 2: The evolving cyber security landscape

The TGA is responsible for the continued safety, quality and performance of medical devices affected by cyber-related issues.

Cyber security in Australia

The Australian Government released Australia's Cyber Security Strategy in 2016. This strategy recognises that improving cyber security is a whole-of-economy challenge, and details priority actions to improve Australia's general cyber security posture, alongside supporting the growth of the local cyber security industry.

Putting the cyber security strategy into operation and providing a cyber secure environment that ensures stability for businesses and individuals to operate in is the responsibility of the Australian Government, specifically the Department of Defence and relevant agencies, including the Australian Signals Directorate (ASD) via the Australian Cyber Security Centre (ACSC).

Health technology and cyber security

The digitalisation of consumer and professional health technology is rapidly gathering traction, with increased application of wireless communication, cloud services, artificial intelligence (AI) and other technologies.

Some of this technology meets the definition of a medical device, while some does not. Medical devices will increasingly be used in a wider variety of professional, personal and public environments, leading to new cyber security implications from an evolving cyber threat landscape.

Increased connectivity and digitisation of health technologies drives a changing cyber landscape, creating new vulnerabilities for medical devices. Likewise, vulnerabilities from across the broader IT ecosystem can affect digital health technologies.

The evolving digital health and cyber landscapes
Diagram depicts a number of overlapping ovals showing that Digital Health / the Internet of Medical Things is a subset of the broader Internet of Things which cuts across all industries including healthcare, transport, manufacturing, energy, mining, industrial operations, etc. Within the Digital Health / Internet of Medical Things domain, which includes consumer wearables, fitness trackers, apps, etc., sits the overlapping domains of healthcare information technology and regulated medical devices. Healthcare information technology includes: electronic patient health records, clinical information systems, practice and enterprise management software, etc. Regulated medical devices includes: medical imaging, surgical robots, in vitro diagnostic devices, communicative implants, software as a medical device, etc. The diagram also depicts that there is an evolving cyber threat landscape that encapsulates the Internet of Things. Driving this evolving cyber threat landscape is the digitisation of medical devices; further, vulnerabilities from the broader ecosystem can affect digital health technologies. The diagram depicts that vulnerabilities within the cyber threat landscape can cascade into exploits, threats and risks. Cyber security can help prevent vulnerabilities from being exploited.

The role of the TGA

As technology progresses, the capabilities and functionality of medical devices are becoming more digitised and interconnected. Software in particular is becoming increasingly important and pervasive in healthcare. As the digital complexity of devices increases so does the potential for cyber security risk through hardware and software vulnerabilities and increased exposure to network and internet-based threats.

In order to support Australia's medical device cyber security capability, the TGA has produced cyber security guidance for industry and for users to embed cyber security practices and protocols across the medical device sector (developers, manufacturers, sponsors, health professionals and patients).

Please note that TGA requirements may not be the only relevant regulatory requirements. For example, you might be required to use the Office of the Australian Information Commissioner's Notifiable Data Breach Scheme under the Privacy Act 1988.

Manufacturer and sponsor responsibilities

Manufacturers and sponsors need to consider and plan for an evolving cyber security landscape in order to maintain patient safety. The cyber–physical–human nature of many connected medical devices leads to cyber security vulnerabilities that cover traditional information security challenges, but also physical patient safety, though these are by nature difficult to predict. For example:

  • Infusion pumps wirelessly connected to a number of systems and networks, introduce many cyber security vulnerabilities and threats, such as unauthorised access to health information and changes to the functionality of the device and prescription of drug doses.
  • Digitalisation is blurring the distinction between medical devices and consumer devices, with smartphones able to act as the operating platform for some software-based medical devices. Security of these devices relies on the user, often a patient, having up-to-date security software on their device and following cyber safe practices.

Enabling medical devices to be cyber-secure is a requirement for regulatory compliance in Australia. Supporting greater cyber-maturity and resilience into Australia's medical device industry will improve the security culture of our healthcare industry and reduce the risk of devices causing patient harm through cyber vulnerabilities. To achieve this, medical device manufacturers and sponsors are also considering cyber security more broadly within their organisations, including workforce skills, strong leadership, and technology solutions.

Motivations for malicious activity

Beyond immediate patient harm, a single high profile adverse cyber event can disrupt professional and social trust in medical device advancement and the healthcare system more broadly, hindering innovation, development and deployment of digital health solutions for several years. Motivations for attacks on medical devices and associated networks may include:

  • Financial and political gain through access to identity, financial and medical data stored in hospital IT systems or networks associated with medical devices, through selling of data, blackmail, etc.
  • Generating wide-scale disruption of services by gaining entry into hospital networks
  • Alteration or removal of a medical service or therapy to impact lives as a form of cyberwarfare, or to target an individual
  • Intellectual Property theft
  • Impugning the reputation of a device manufacturer in order to alter market competition
  • A motivation to harm other individuals
  • Curiosity and prestige in demonstrating ability to identify and/or exploit vulnerabilities in complex systems

Industry trends and cyber security considerations

Highlighted below are emerging social and technological trends that are affecting the cyber threat landscape and associated implications for the healthcare and medical device industry. The cyber security effect that arises from each trend is an important consideration for all stakeholders in the healthcare and medical device industry.

Healthcare and medical technology industry trends and cyber security considerations
Trend name Trend observations Cyber security considerations

Consumer control and experience

  • Patients are gaining more control over their healthcare and expecting quality experiences
  • Access to information is increasing consumer decision-making power and allowing proactive health management
  • Devices providing better experiences for a patient are interacting with different environments (e.g. home or public Wi-Fi) and are exposed to a different threat landscape
  • Variable security literacy of patient / end-user

Integration of health service and supply chains

  • End-to-end integration of healthcare will improve efficiency and provide greater focus on the patient
  • Digital technologies are transforming supply chains
  • Interoperability of systems is needed for successful healthcare integration although this may introduce a new range of cyber security vulnerabilities
  • Security throughout the supply chain and other third parties is vital
  • Ensure clear ownership of responsibilities

Global Connectivity

  • Global connectivity is enabling trade; empowering people with access to information, products and services; and allowing seamless communication for improved social and professional connections
  • New entrants can scale-up quickly with access to global markets
  • Cyber-attacks can come from anywhere in the world
  • Remote connection of physical devices introduces new cyber considerations—Internet of Things (IoT) vulnerabilities may include data but also extend to physical threats to health and safety

Precision and personal healthcare

  • Advances in science and technology, such as genome profiling and 3D printing are enabling technology solutions that are tuned to the specific needs of individuals
  • Bespoke technologies will provide improved outcomes for individual patients
  • Precision healthcare can require the collection of lifestyle, personal health and medical information from a variety of sources, expanding the data that needs to be protected

Increased data generation and exchange

  • Greater volumes of patient data are being generated and exchanged, enabling new insights and supporting new businesses and technologies
  • E.g. genome profiles will enable new diagnostic platforms
  • Manufacturers will need to ensure that confidentiality and integrity of data is maintained

Healthcare: a vulnerable industry

  • Healthcare is vulnerable to cyber threats, with many poorly protected legacy systems in use
  • Cyber-attacks on healthcare organisations are increasing
  • Healthcare is vulnerable to mass media communications that can cause a crisis of confidence in health services and products
  • Adversaries can have numerous motivations to attack medical devices
  • Healthcare information is highly sought after on the dark web
  • Manufacturers of devices that capture, transmit or store health information should address the risks created by poor cyber security
  • Public trust is difficult to restore after a significant cyber event

Book pagination