Overview Of Australia’s TGA Medical Devices Cybersecurity Guidelines
Technology came a long way, to a point that medical equipment can now get hacked. Hackercombat.com has for years featured stories about hacked medical equipment, all things considered, it is still unknown why cybercriminals are bothering with such attacks. Given that patients medical tools are not profitable compared to say ransomware or banking trojan development. However, Australia’s Therapeutic Goods Administration (TGA) does not pull its punches as it releases new guidelines for securing medical devices and IVD (Vitro Diagnostic) med equipment.
The guidelines are divided into three documents, for the industry, for users and for consumers.
For the industry pdf document covers the foundation of the use of equipment by the medical and healthcare industry itself. The 53-page document cannot be covered in just one article, hence we recommend our readers to read it separately in order to understand the wisdom behind why TGA is prioritizing it over the two other stakeholders. The guidance for industry document released fully recognized that the world, including Australia, has entered the age of SaMD (Software as a Medical Device) and embeds a form of artificial intelligence to aid the actual equipment. It is unfortunate that we arrived at the age when supposed life-saving devices are vulnerable to cyber attacks as well as no different from general-purpose computers like PCs and smartphones.
The need of hospitals and other healthcare institutions to be “connected” and the pressures of “digitization” are the reasons why devices that used to be independently operating (which is very much okay) are now basically IoTs (Internet-of-Things). What is the industry’s fascination with totally working offline machines turned Internet appliances? That is the reality that TGA is trying to emphasize, as medical equipment becomes IoTs themselves, what are the action plans to prevent medical devices from becoming the next target of hackers?
“This guidance has been produced in order to support Australia’s medical device cyber security capability, embedding improved cyber security practices across the medical device sector. The purpose of this guidance is to help manufacturers and sponsors understand how the TGA interprets regulations, and thus indicate how to comply,” said TGA in its guidelines for the industry.
The second document is 31-pages long, reveal its purpose for security information supplied while using the medical equipment. Software running on top of the medical devices now becomes the interface of medical professionals like doctors and nurses, instead of directly interacting with the crude user interface provided solely by the hardware itself. Medical professionals are not IT professionals, they are not trained to be IT support for themselves in the event of cybersecurity attack against the medical devices they rely on every day to treat their patients.
“Users of medical devices have a shared responsibility for providing a cyber secure environment for these devices to operate in. While supplying a compliant medical device is the responsibility of the manufacturer and sponsor, a compliant medical device will only be as secure as the most vulnerable aspect of the system it is expected to operate in,” explained the TGA document for users.
The 3rd document titled with “Consumer Information” deals with how regular folks handles the changes in hospital technologies. Most especially given that data taken from patients and their families are stored in hospital devices that used to be completely air-gapped but are now practically Internet appliances as well. TGA defined consumer-interaction with hospital Internet-related devices as followed (directly quoted from https://www.tga.gov.au/medical-device-cyber-security-consumer-information#how)
- apps on your smartphone that allow you to record information, such as blood glucose readings and carbohydrate intake, that will be used to determine treatments, such as insulin injections
- implanted devices that can be remotely controlled, such as cardiac pacemakers
- hearing aids that may be controlled by your smartphone
- continuous positive airway pressure (CPAP) machines that treat sleep apnoea, and communicate therapy information to your doctor.
Oregon Department of Human Services Suffered a Data Breach