On Jan 21st, 2021, we invited four legal and technological experts from world-class institutions (Identify3D, NYU, MedCrypt, Duane Morris ) to present their perspectives on the future landscape of cybersecurity for 3D printed medical devices. Given the nascent nature of our field, many in the healthcare 3D printing ecosystem have not considered cybersecurity as the number one priority in their product design or adoption, and that is why 3DHEALS organized this event to lay the foundation of this likely important conversation. The cyberattack has made multiple headlines this year, and not in a good way. Major headlines related to medical device malfunction or cybersecurity breach in the healthcare system and 3D printing space will happen with certain, and it’s just a matter of when and how. I have compiled the important takeaways from the webinar, relevant resources, and data into this guide. Hopefully, this will at least inspire you to learn more and start critical conversations. Full event speaker biographies can be found here.
3DHEALS Live webinars are free to the public and recordings are available to registered attendees for 48 hours. On-demand webinar videos are free to 3DHEALS premium and enterprise members. Personalized 3DHEALS Certification of Completion is available through our Courses webinar module, which is also free to our premium and enterprise members.
Why Cybersecurity for (All) Medical Devices?
Vidya Murthy, VP of Operations for MedCrypt provided a general overview of why medical device manufacturers need to pay attention to their cybersecurity strategies. Perhaps lesser known to this audience, Vidya started with a story on how Mayo Clinic requested device makers to address cybersecurity vulnerability when Dalai Lama was getting treatment there. Mayo’s concern was if the nation-state will use the vulnerability to harm the well-known patient. This concern is not irrational, as a pacemaker has been hacked into on stage during Def Con as early as 2008.
The key takeaways from Vidya’s presentation are there are commercial and regulatory momentums for device makers to start to implement cybersecurity strategies more proactively before shipping their products. Hospitals, FDA, and increasingly individual end-users will request cybersecurity features before using the device, especially since cybercrime is getting increasingly intentional and complex.
Vidya also mentioned that the pandemic could be an accelerating factor for increased vulnerability to cyber attacks because cybersecurity regulation is often omitted due to the emergency nature of our healthcare responses, including recent exponential growth of telehealth.
How Can We Secure Medical Devices?
Stephan Thomas is currently the Co-founder and Chief Strategy Officer of Identify3d, and he outlined the major cybersecurity challenges to the digital supply chain faced by 3D printing manufacturers. Stephan pointed out that currently, the 3D printed medical device industry is very small (around 1.6-1.8 billion), but the future growth of this sector is poised to be exponential, up to 425 billion in 2025. He emphasizes that manufacturing is the third most targeted sector by cybercrimes, right behind attacks targeting governments and the financial industries. The many recent articles highlighting these attacks are listed below.
Out of these many potential risks, Stephan highlighted five major cybersecurity risks, which he has detailed in our past 3DHEALS Expert Corner blogs.
It is eyeopening to learn that block chain technology is NOT solution to all in cybersecurity during the panel discussion.
Relevant recent headlines from Stephan’s presentation:
How Can You Protect Off-line AM Devices?
Nikhil Gupta , a professor in the Department of Mechanical and Aerospace Engineering at the NYU-Tandon School of Engineering gave us a more technical review both on cyber vulnerability and strategy of additive manufactured devices. Dr. Gupta mentioned that cyberattack in AM often happens as an insider job throughout the AM process chain, which is a cyber-physical system. Of the many issues that could arise, professor Gupta focused on the issues related to Reverse Engineering and Counterfeit AM devices.
He also provided four examples of potential solutions, which include new audio based lossless encryption method, a 3D QR like code embedded in the authentic products, and CAD code that require authentication to be properly printed. Many steps used by hackers to reverse engineering a physical product can also provide potential solutions to future cyberattack.
How To Manage Liability Risk of Cybersecurity in Medical Devices?
Sean Burke, partner, and vice-chair of the products liability trial division at Duane Morris, focused more on the latest legal challenges related to the liability risks related to cyberattacks in medical devices. Sean has written a great Expert Corner blog focusing on general product liability for us recently.
Sean mentioned that there is an exponential increase in medical device related lawsuit in recent years, driven by a combination of media, FDA recalls, and economic incentives from the plaintiff lawyers.
The legal challenges against future cyberattacks in medical devices come from a lack of existing ruling, regulation, and also knowledge of the kind of potential attacks in the future. Uncertainty and unpredictability in this space will be major challenges for device manufacturers.
Sean suggests the following “now” solutions which were echoed by the other panelists as well:
- Following census standards
- Maintaining an open dialogue with FDA
- Having insurance coverage
- Consulting cybersecurity experts
- Having well-written Indemnification agreements
Obviously, this is an extremely complex subject that will only grow in importance to the medical AM industry in the near future, but I hope this blog and webinar can serve as a starting point for you to consider your next cybersecurity step.