The analysis identifies emerging threats to patient safety and device performance as manufacturers adopt new technologies and advanced encryption.
The MITRE Corporation released a report detailing the cybersecurity risks associated with medical devices that incorporate cloud computing, artificial intelligence (AI), and machine learning (ML). The report, titled “Cybersecurity Risk Analysis for Medical Devices in the Era of Evolving Technologies,” examines how these technologies present new vulnerabilities that could lead to patient harm if not addressed.
As medical device manufacturers (MDMs) innovate, they are increasingly leveraging third-party cloud services and AI algorithms to enhance device performance, according to the report. However, this shift changes the risk management paradigm, requiring shared responsibility between manufacturers, healthcare delivery organizations (HDOs), and third-party providers.
Cloud Computing and Third-Party Risks
The integration of cloud-based technologies has increased significantly, particularly as AI/ML technologies often rely on cloud infrastructure. While these services offer efficiency, they also introduce systemic risks.
“If cloud services are not available, the medical devices and HDOs may not be able to provide care to patients, which leads to indirect and latent patient harm,” according to the MITRE report.
The analysis notes that MDMs have less control over devices and data once they are in the cloud. Attacks on cloud infrastructure or continuous integration and deployment pipelines can disrupt the supply chain or allow adversaries to introduce malware into deployed systems. To mitigate these risks, the report suggests using service level agreements to define security expectations and implementing resilient architectures that allow for local operation when the cloud is unavailable.
Challenges of AI and Machine Learning
Integrating AI/ML into medical devices introduces opportunities for novel cyberattacks, such as data poisoning or prompt injections, according to the report. A primary concern for manufacturers is the “stochastic” or unpredictable nature of AI, where outputs can vary even when presented with identical inputs.
“With AI/ML, however, the underlying behaviors are typically a ‘black box’ in which results can vary with each run, and there is not a good way to perform step-by-step analysis or otherwise inspect the logic and data flow to get consistent results,” the report states.
This lack of predictability can lead to “hallucinations”—false or nonsensical outputs—that may result in misdiagnosis or improper treatment. The report recommends that manufacturers implement guardrails and protection mechanisms, such as retrieval augmented generation, to minimize these risks.
The Quantum Threat to Encryption
The report also highlights the emerging threat posed by quantum computing to current cryptographic standards. A scalable quantum computer could eventually break the public-key cryptography currently used to secure medical devices and patient data.
MITRE warns of a “harvest-now, decrypt-later” threat, where attackers exfiltrate encrypted information today with the intent to decrypt it once a quantum computer becomes available. This could expose sensitive patient data, intellectual property, and device telemetry.
To address this, the National Institute of Standards and Technology is standardizing post-quantum cryptography (PQC). The report urges the healthcare industry to develop strategic plans for PQC migration, noting that transitioning to these new algorithms will require significant time, planning, and resources.
Evolving Risk Management Practices
Managing these emerging risks builds upon existing cybersecurity practices. The report emphasizes the importance of using a software bill of materials to manage vulnerabilities and performing threat modeling early in the design phase.
The analysis concludes that technology will continue to change, making it essential to develop medical devices that can be updated throughout their lifecycle. By adapting governance frameworks and rethinking roles and responsibilities, the healthcare sector can continue to provide care without introducing uncontrolled threats to patients.
ID 164507067 © Kanawat | Dreamstime.com
