One newer security concern involves implanted medical devices and vulnerabilities to hackers. As it stands, about 10–15 devices are connected across the nation. Most of these are vulnerable to hackers, especially pacemakers and other implants, which are leaving patients at risk for attack.
Many medical devices use radio and/or network technology to share patient data among healthcare professionals. While this practice increases positive results for patients, it is also potentially dangerous, because many of these technologies lack adequate security, and several attacks have already taken place. By hacking cardiac defibrillators and pacemakers, attackers have already stolen sensitive medical records. The U.S. government is looking for ways to stop attacks on medical devices.
In October 2018, a report was filed by an inspector general on the FDA’s plans. The findings were “deficient for addressing medical device cybersecurity compromises.” In response, the FDA said it has “worked proactively” on the topic.
Learn more about device security at MTI’s upcoming conference, Medical Device Cybersecurity: Legacy Device Remediation, Compensating Controls & End of Life | September 26–27, 2019 | Cambridge, MA or attend virtuallyThe rise of the digital age has raised security concerns regarding medical devices has put many on alert.
What are the risks? How much damage can hackers cause with such attacks?
As medical technology has evolved, implant devices are able to communicate wirelessly and the Internet of Things has introduced new possibilities with many wearable devices. These devices allow patients and their healthcare providers to stay connected. Although this sounds like great news, significant security vulnerabilities have been uncovered with some of these products.
Let’s face it, the more vulnerable the medical device, the higher its risk for hacking. In March 2019 Medtronic made headlines after disclosing a security flaw in some of its implantable devices.
Following the Department of Homeland Security’s flagging of a “critical cyber security weakness“, a vulnerability rating of 9.3 (out of 10 points) was given for one of its cardiac devices.
Medtronic’s cardiac devices use a wireless communication system. The system’s flaws could allow for potential access from unauthorized users. This means unauthorized users could change the device’s settings or at-home monitoring systems.
A few years ago, FDA recalled 465,000 implantable pacemakers manufactured by St. Jude Medical due to the potential for attacks. Patients with the implants didn’t have them taken out; instead, Abbott (owner of St. Jude Medical) released a firmware update in August 2017. The update includes more precise security for patients. The possible risks from attacks include hackers wearing down the device’s battery life or changing the heartbeat of a patient. These are both potentially fatal attacks.
Although, no such attack is on record—the threat is real.
This sounds horrifying, but it might not be as bad as it seems. These attacks would need to be made in close range to the patient. Also, it would have to occur during a time when the device connects to the internet to send or receive data. The risk is a long shot; however, it’s still a risk.
Fortunately, experts report that the security posture of the medical device company community has been working to improve this issue for the last few years.
The government has made improving medical device security a priority, according to Anura Fernando, UL’s Chief Innovation Architect of Medical Systems Interoperability & Security.
“The FDA is preparing new and improved guidance. The Healthcare Sector Coordinating Council recently put out the Joint Security Plan. Standards Development Organizations are evolving standards and creating new ones where needed. DHS is continuing to expand upon their CERT programs and other critical infrastructure protection plans, and the healthcare community is expanding and engaging with other to continuously improve upon the cybersecurity posture to keep pace with the changing treat landscape.” – Anura Fernando, as quoted in an article on How-To Geek
Although stakeholders are actively working to improve security in medical devices, there’s still a lot of work to be done.
Over the last few months, some security issues have surfaced regarding healthcare. From the outdated Windows platforms most healthcare providers rely on, to the outdated systems medical devices use—it’s time for an update. However, healthcare is increasing the number of connected medical devices and at a steady rate, and this means the opportunity for attacks are higher, too. Likewise, this makes detecting and scaling security more challenging.
Recent research from Forescout and Duo Security finds healthcare is resource constrained. The gaps in IT staffing are making it challenging for organizations to make the switch to platforms with more security.
Cynerio CEO and Founder Leon Lerman has seen a substantial increase on medical device security awareness over the last six months, according to an article on SecurityWeek.
More requests for projects that focus solely on the security of medical devices and looking for solutions to security breaches is very important to the telehealth community.
The title of “medical device security engineer” has also been evolving. Lerman stated this newer position is a mixture of IT, security and a biomedical engineer. Leaders from each of these departments may not understand medical device security. Wrapping them into one role makes for a more efficient position, focusing on the security of medical devices solely.
When a hospital has medical device security engineers separate from biomedical engineers the security focus for these employees with be higher. This will benefit the level of protection at the organizational level.
As of 2019, more than 32 million patient records have been infringed, according to the Protenus Breach Barometer. Many of these violations were due to hackers. The industry has been prone to phishing and ransomware, reports show.
As security measures are increasing, the tools used to combat these issues may not be as effective as security leaders hope. Threats and concerns are constantly rising; however, the healthcare industry still scrambles to keep up the pace. Medical device attacks from hackers are quickly becoming a major security concern. Anything wireless has the potential to be compromised.
Whether it be pacemakers, cardiac defibrillators or any wireless hospital equipment—all these types of devices are at risk. Industry and manufacturers alike must work towards making these devices safer while complying with the FDA guidelines. Otherwise, the risk for attacks will continue to grow as technology continues to advance.