“We have to see Q-day as imminent”

Professor Gilbert, how do you currently assess the threat posed by hacker attacks?

Stephen Gilbert: Year-on-year medical IT systems face greater cybersecurity challenges. It is increasingly common to hear of patient deaths as a result of major attacks on hospital infrastructure. Healthcare cybersecurity incidents are increasing – tripling in the last 10 years. Healthcare spends more to resolve data breaches. When hospital security is stepped up after a cybersecurity incident it often results in worsening patient outcomes as information flows are reduced - i.e, the treatment for cybersecurity breaches can be worse than the disease. We are in urgent need of better approaches to health cybersecurity.

What are your goals at CYMEDSEC?

Stephen Gilbert: CYMEDSEC's primary focus is on an increasingly important area, the Internet of Medical Things (IoMT), i.e, wireless medical devices for remote home monitoring, and the Hospital at Home. This is a dream of patients and a much needed future modality of care that reduces costs and reduces environmental impact and it has obvious advantages for patients. What can be better than the seamless passive monitoring and clinical follow-up of sick patients where they want to be, in their own homes close to their loved ones? Truly a win win, but also a new attack surface for cyber attackers, and as we addressed through one of CYMEDSEC’s first publications, patients at home are vulnerable to disruption of care through cyberattack in a way in that in-patients are not - there is no analogue doctor or nurse to step in to replace the down digital system.

The highly efficient digital systems are surprisingly brittle. We address robustness in the IoMT home monitoring and Hospital at Home, considering approaches for assessing the risks of networked connected home and wearable devices, monitoring these devices and safeguarding them through updates.

How can the concept of security by design be implemented in practice?

Stephen Gilbert: Sometimes “security by design” is used as a marketing buzzword, without true deeper implementation. In CYMEDSEC, we take “security by design” very seriously and for us it means two things. One is the careful consideration of the cybersecurity of medical devices at the design stage, alongside their use and interaction with other medical devices with which they will be built into larger home monitoring/hospital at home systems, and for the near-real time oversight and monitoring of their security status in these systems. Having a live view on the security of systems is standard in the banking domain – 24-hour monitoring of fintech systems is seen as needed as even short outflows to hackers are unsustainable to system operators. Is the securing of the support systems for sick and serially ill patients any less of an imperative? 

In CYMEDSEC, “security by design” also means the building of entirely new layered open-source secure hardware and operative system approaches for “defence in depth” of IoMT. In CYMEDSEC, this work on developing secure “hardened” hardware and software, is led by the Barkhausen Institut in Dresden and we have already proof of concept approaches in testing.

CYMEDSEC is a project involving partners from research, industry and administration. What role does cooperation play in cyber security?

Stephen Gilbert: Collaboration is critical across all domains of CYMEDSEC and is a true strength of the Horizon Europe program. We bring together lawyers, regulatory standardisation experts, cybersecurity experts, hardware ‘chip’ engineers, wireless system experts, social scientists, hospital remote monitoring implementation engineers and information security officers, scientific and communication experts. Partners include academia, medical device companies, cybersecurity companies, and national standardisation institutes. 

Collaboration is at the core and everything we have achieved and will achieve over the next two years is through looking at problems with multiple heads, challenging each other from our unique standpoints, finding new ways of looking at problems and integrating solutions that work for all stakeholders, holistically.

What role do post-quantum cryptography and AI play – both as an opportunity and a risk for cybersecurity?

Stephen Gilbert: Quantum computing and post quantum cryptography are sometimes seen as future topics. We challenge this perception. In the last months, Google demonstrated the use of a quantum computer to outperform conventional computers on a real-world biological problem. Although not widespread in use, quantum computing exists. Although we have not yet reached ‘Q-day’, when traditional public-key cryptography can be broken easily by quantum computers, we are already living in a world in which we have to see Q-day as imminent. 

Is this scary – yes and no. No this is not scary as the world is actually well prepared. The U.S. National Institute of Standards and Technology (NIST) has guided the creation of a portfolio of usable Post Quantum Computing (PQC) cryptography algorithms, safe for use in a post Q-day world, already recommended for adoption, particularly as we live in the clear and present danger of “harvest now, decrypt later” attacks. Effectively the world faces a large implantation challenge, but not a technology or science challenge per se. However, yes this is scary, as will our healthcare systems, filled with legacy systems and outdated technology really implement PQC cryptography algorithms efficiently, promptly and completely? This is unlikely, but we continue to work for the best possible policy approaches through CYMEDSEC.

The AI oversight of the security of networked systems, the use of AI to assist in the bureaucracy of cybersecurity regulatory processes and the security of AI-enabled medical tools against, for example poisoning and prompt engineering attacks, are also part of our wider remit in CYMEDSEC, and are amongst the most exciting and fastest moving areas of research. Our approaches to system level medical device standardization look at IoMT and AI-enabled medical devices together. 

Stephen Gilbert 

Stephen Gilbert is Professor of Medical Device Regulatory Science at the Else Kröner Fresenius Center (EKFZ) for Digital Health at TUD Dresden University of Technology. After completing his PhD at the University of Leeds, he worked in research for several years. Between 2017 and 2022, he worked in the field of medical technology and digital health in industry before returning to academia in 2022. Established in 2019, the EKFZ Dresden is funded by the Else Kröner-Fresenius-Stiftung with € 40 million over ten years. It focuses its research on medical and digital technologies at the interface with patients.