Medical devices have gone from simple bandages that help wrap up wounds to MRI machines that scan the body for organ irregularities. With increasing complexity over the last five years, these devices have come to rely on software and the Internet to assist people with more efficiency. Now that these machines are able to communicate with one another, their network is susceptible to data loss and compromise due to cyberattacks. A good example of this was the 2017 WannaCry’s ransomware attack against the UK’s National Health Service (NHS), costing them £92M to recover the data and its subsequent cleanup.
According to a survey conducted by KLAS and the College of Healthcare Information Management Executives (CHIME), provider organizations do not have complete confidence in the security of their medical devices. The most common reasons cited point out either a hesitation on the manufacturer’s part to update these said devices, or that patches do occur, but these take too long. As proof, the survey revealed that about 18% of the organizations who participated in the survey have experienced malware attacks on their medical devices in 2018. When these devices are out-of-date, they become vulnerable to data breaches—as most software and gadgets are when they are not properly secured. This problem is compounded by the fact that these devices have long life spans and are vital to a patient’s medical needs. This security loophole could lead to issues in the future. Medtronic, a company that manufactures pacemakers and implantable insulin pumps, admits that their devices still show a lot of vulnerabilities. Hackers can get into the computer a doctor uses to program these pacemakers and put in a new code that would send out harmful instructions to all the devices connected to it. If the insulin pump or pacemaker disables, it could lead to the patient’s death—and a healthcare provider’s lawsuit. However, health organizations are currently at a loss. On the one hand, withholding these medical tools could jeopardize their patient’s health. On the other, purchasing and using these already-vulnerable devices heighten the risk for data breaches. Where then is the middle ground?
Back in 2014, the Food and Drug Administration (FDA) released a guidance document called the Content of Premarket Submissions for Management of Cybersecurity in Medical Devices. This document tackles the list of cybersecurity risks that a company has to consider when designing a medical device, as well as the list of controls necessary for the device. The document also gives instructions and recommendations when drafting a 510(k) for submission. In 2018, the FDA updated this original content and provided revised recommendations. This includes materials, software, and hardware components that may have vulnerabilities to malware and cyberattacks. The guide is still open to additional suggestions and edits until March 2019, when the administration includes the final revisions.
Here are a few recommendations from the FDA to further protect the devices:
It is not only important that healthcare providers are made aware of the risks, but that they also are made vigilant towards medical device suppliers and manufacturers. Keeping one another accountable and informed will ultimately help save a lot of lives in the future.
We are Wilson Consulting
Our company conducts security assessment to help you identify vulnerabilities in your devices. Our Cyber Security Assessment provides a detailed evaluation of an organization’s existing security policies, procedures, controls and mechanisms in relation to best practices and industry standards. We provide practical actionable recommendations to address any identified risk and ensure your organization’s device exceeds FDA’s cyber security requirements.
Many cyberattacks succeed due to mistakes by employees and a lack of awareness of basic aspects of cybersecurity. According to the 2022 Verizon Data Breach Investigations Report, 82% of data breaches in 2021 involved the human element.
On May 7, 2021, Colonial Pipeline, Co. was forced to close operations after a ransomware hack was confirmed to have breached their systems. This attack hindered services to the East-coast of the United States and sparked fears of a massive gas shortage to American motorists. This hack greatly compromised Colonial Pipeline’s system integrity and put private data at risk.
5G is a wireless technology with higher speeds and increased bandwidth, which means that you can download/stream videos online at a faster rate without worrying much about the number of users on the network. 5G networks also help reduce the time needed for data to travel across the network. This process is called latency, which is a major factor in automated processes, such as self-driving cars and factory robots. Due to the massive connectivity of devices collectively known as the Internet of Things (IoT) across 5G networks, viable and in-depth security measures should be in place to prevent cybercriminals from hijacking the connected devices or launching Distributed Denial of Service (DDoS) attacks.
Stay In The Know With Our Newsletter
