Security breaches can pose serious threats, especially with medical devices. These threats include causing devices to malfunction, disrupting the transmission of patient medical data or prematurely draining the batteries.
The biggest risk to patients is if hackers intercept and modify data being transmitted to or from the device. If that interception is not detected, the hacker’s actions could potentially interfere with the patient’s care.
Learn more about device security at MTI’s upcoming conference, Medical Device Cybersecurity: Legacy Device Remediation, Compensating Controls & End of Life | September 26–27, 2019 | Cambridge, MA or attend virtuallySoftware and security issues were the cause of 45 million medical device recalls in 2018 alone. The FDA recently warned that some cardiac implants could be hacked from as far away as 20 feet. There have been no reported incidents of medical device security breaches that have harmed patients.
For an industry projected to balloon to a value of $63 billion over the next five years, data integrity and security must be top priority.
New technology, patient education and following precautionary steps for device security can help reduce the risk of hackers accessing remote medical devices and patients’ personal identifying information.
Device security is multi-layered. Healthcare organizations must have secure information technology systems. On the network level, security measures must prevent data from becoming corrupted. The application layer, including web, mobile or cloud-based applications connected to the device, must address security during design, development and testing. Security steps should include:
- Building security into IoT applications and devices during the design phase.
- Preventing unauthorized users from gaining access.
- Limiting data collection to information required for the device to operate as intended; only keep data for the shortest amount of time necessary.
- Designing products to ship with unique credentials or require users to set new credentials the first time they use the device.
- Monitoring the health of devices and provide patches as soon as vulnerabilities are identified.
Medical devices are overseen by the FDA, which monitors the ongoing safety and efficacy of regulated marketed devices through MedWatch, the FDA Safety Information and Adverse Event Reporting Program.
Devices also need to meet HIPAA requirements by encrypting data transmitted and/or stored on servers.
Last year, the U.S. Department of Health and Human Services recommended that device makers and the FDA conduct pre-submission meetings to better address questions regarding networked-device cybersecurity. The FDA asked manufacturers to provide:
- Hazard analysis listing the cybersecurity risks considered and the cybersecurity controls incorporated into the device.
- Traceability matrix linking the actual cybersecurity controls to the risks that were considered.
- Manufacturer’s plans for validating and updating device software.
- Description of controls in the software supply chain.
In July, the National Institute for Standards and Technology, part of the U.S. Department of Commerce, issued a draft guideline of cybersecurity features that manufacturers can voluntarily adopt for IoT devices, which is also relevant to medical devices.
How Patients Can Protect Themselves
Beyond the technology development by the manufacturers, there are ways that consumers can protect themselves and their data:
- Always obtain medical devices directly from the manufacturer or your physician.
- Always change default passwords when setting up a device.
- Take advantage of the latest software upgrades and other device improvements. These precautions will ensure the device has not been tampered with and is updated with the latest security software.
We may not be able to guarantee the total security of medical devices—software, internet connectivity and wireless communications carry inherent security risks. These also are technologies that greatly benefit patients, however.
All stakeholders should work together, including healthcare organizations, device manufacturers, security experts and medical professionals, to ensure devices are as secure as possible.
Remote cardiac monitoring is saving lives, making it even more important that all stakeholders are committed to patient safety and security.