Medical devices have gone from simple bandages that help wrap up wounds to MRI machines that scan the body for organ irregularities. With increasing complexity over the last five years, these devices have come to rely on software and the Internet to assist people with more efficiency. Now that these machines are able to communicate with one another, their network is susceptible to data loss and compromise due to cyberattacks. A good example of this was the 2017 WannaCry’s ransomware attack against the UK’s National Health Service (NHS), costing them £92M to recover the data and its subsequent cleanup.
According to a survey conducted by KLAS and the College of Healthcare Information Management Executives (CHIME), provider organizations do not have complete confidence in the security of their medical devices. The most common reasons cited point out either a hesitation on the manufacturer’s part to update these said devices, or that patches do occur, but these take too long. As proof, the survey revealed that about 18% of the organizations who participated in the survey have experienced malware attacks on their medical devices in 2018.
When these devices are out-of-date, they become vulnerable to data breaches—as most software and gadgets are when they are not properly secured. This problem is compounded by the fact that these devices have long life spans and are vital to a patient’s medical needs. This security loophole could lead to issues in the future.
Medtronic, a company that manufactures pacemakers and implantable insulin pumps, admits that their devices still show a lot of vulnerabilities. Hackers can get into the computer a doctor uses to program these pacemakers and put in a new code that would send out harmful instructions to all the devices connected to it. If the insulin pump or pacemaker disables, it could lead to the patient’s death—and a healthcare provider’s lawsuit.
However, health organizations are currently at a loss. On the one hand, withholding these medical tools could jeopardize their patient’s health. On the other, purchasing and using these already-vulnerable devices heighten the risk for data breaches. Where then is the middle ground?
Back in 2014, the Food and Drug Administration (FDA) released a guidance document called the Content of Premarket Submissions for Management of Cybersecurity in Medical Devices. This document tackles the list of cybersecurity risks that a company has to consider when designing a medical device, as well as the list of controls necessary for the device. The document also gives instructions and recommendations when drafting a 510(k) for submission.
In 2018, the FDA updated this original content and provided revised recommendations. This includes materials, software, and hardware components that may have vulnerabilities to malware and cyberattacks. The guide is still open to additional suggestions and edits until March 2019, when the administration includes the final revisions.
Here are a few recommendations from the FDA to further protect the devices:
It is not only important that healthcare providers are made aware of the risks, but that they also are made vigilant towards medical device suppliers and manufacturers. Keeping one another accountable and informed will ultimately help save a lot of lives in the future.
We are Wilson Consulting
Our company conducts security assessment to help you identify vulnerabilities in your devices. Our Cyber Security Assessment provides a detailed evaluation of an organization’s existing security policies, procedures, controls and mechanisms in relation to best practices and industry standards. We provide practical actionable recommendations to address any identified risk and ensure your organization’s device exceeds FDA’s cyber security requirements.