Introduction

A medical device is described as

"any instrument, apparatus, appliance, software, material or other article, whether used alone or in combination, together with any accessories, including the software intended by its manufacturer to be used specifically for diagnosis or therapeutic purposes or both and necessary for its proper application, which is intended by the manufacturer to be used for human beings for the purpose of:

• diagnosis, prevention, monitoring, treatment, or alleviation of disease
• diagnosis, monitoring, treatment, alleviation of or compensation for an injury or handicap
• investigation, replacement, or modification of the anatomy or of a physiological process, or
• control of conception"

An introductory guide to the MDR and the IVDR

Medical Devices Regulations 2002 (legislation.gov.uk)

The above Medicines and Healthcare products Regulatory Agency (MHRA) guidance is specific to the provisions in Great Britain (England, Wales, and Scotland).

The World Health organisation defines a medical device as any instrument, apparatus, implement, machine, appliance, implant, reagent for in vitro use, software, material or other similar or related article, intended by the manufacturer to be used, alone or in combination for a medical purpose.

It also states that today, there are an estimated 2 million different kinds of medical devices on the world market, categorized into more than 7000 generic devices groups.

The European Council Directive 93/42/EEC lays out the definition of a medical device.

The term connected medical devices (CMD) refers to medical devices connected to an organisation’s clinical network that can transmit and/or receive data to/from another source on the network or other location (such as the internet).

Genomics diagnostic CMDs refers to devices deployed on the clinical network involved in:

• genome extraction
• genome plating
• genome sequencing
• analysis and reporting
• genomics data storage (includes sequencing data, variant data and other genomics related data)

This guide will focus only on medical devices connected to an organisation’s clinical network.

The NHS England guidance on protecting medical devices identified 3 issues related with using medical devices on clinical networks:

1. It can take up to 3 months from the time that a security update is released to when it can be implemented on the medical device. This is because security updates, patches, and potentially virus signatures, must be properly assessed by the supplier and confirmed as safe before they can be installed on the medical device.
2. Since medical devices are not regularly updated with the latest security mitigations, the impact of vulnerabilities is increased, making exploitation more likely to succeed, and making detection of any exploitation more difficult.
3. In many health and care organisations, CMDs are deployed as 'black boxes' and usually managed remotely by suppliers via remote access connectivity to the devices. These connections may be permanently available or on demand which introduces the risk that a compromise of the supplier environment could lead to the CMD being used as the entry point into the organisation’s network.

With the growth of Internet of Medical Things (IoMT) the threat of potential cyber-attacks increases. The US Department of Homeland Security recently issued a warning about a bundle of vulnerabilities known as 'Ripple20' which could impact millions of medical devices. In addition, the US Food and Drug administration (FDA) has also warned of a vulnerability in Bluetooth® technology known as 'SweynTooth' that could compromise Bluetooth® low energy medical devices.

In combination, these issues mean that high-impact security incidents become more likely to occur, with the potential that security incidents affecting connected medical devices could cause significant disruption to the delivery of healthcare services.

Network segmentation - An introduction for health and care organisations recommends that, to reduce the potential impact of a compromised medical device connected to your organisation’s network, you should segment your clinical network by dividing your local area network (LAN) into separate independent logical segments. This should:

• limit the risk of malicious mobile software on the corporate network reaching a vulnerable CMD
• (in the event a vulnerable CMD is compromised) reduce the risk of a compromise of your corporate network by limiting the blast radius of a cyber-attack to the logical network segment hosting the compromised component
• limit the compromise of other network assets by preventing the uncontrolled lateral movement of the malicious code across the network

In addition to other controls, segmenting CMDs connected to clinical networks is therefore a very important control that you should implement to reduce the ability for malware to spread laterally through an enterprise.