Could hackers take control of a human heart? While it feels like the plot of a futuristic sci-fi thriller, the risk of cybersecurity threats to almost any network connected medical device is very real. Thankfully, no patients to date have been injured because of a cyber-attack. However, as the market for connected medical devices within both the home and traditional healthcare settings continues to grow, the probability of this type of cyber-attack will increase if not addressed properly.
All manufacturers should be aware that the U.S. Food and Drug Administration (FDA) is monitoring this risk and may take action against them. In August 2017, the federal agency recalled nearly half a million pacemakers produced by one manufacturer amid concern that the life-saving medical devices were vulnerable to hackers who might attempt to control their pacing or deplete their batteries. The manufacturer released a firmware update designed to address the vulnerabilities, sparing patients from having to undergo a device removal or replacement. Still, the recall has only heightened awareness about the prevalence of cybersecurity threats in medical devices.
The fact that cybersecurity worries have now entered the medical device world shouldn’t come as too much of a surprise. In an era in which hackers have reached their tentacles into intricate financial systems and global retail chains, medical devices now relying on connectivity present just another potential arena for cybercriminals – it just so happens this connected device can have life-threatening implications.
Within the past several years, most of the healthcare industry has transitioned away from paper records to electronic medical records (EMR’s) dependent on electronic health record (EHR) systems. As these increased electronic capabilities have come into play, medical devices have added online connections and started to feed data directly into those electronic health systems. With the devices and patient databases now connected to each other, providers can improve patient care through stronger coordination and greater personalization. These tools are helping to improve healthcare options for patients as well as ease-of-use and process efficiencies for the medical community.
With increasing risks in this environment, healthcare professionals and administrators now understand that they must operate under the assumption that a cyber-attack of their medical devices could occur, rather than being a far-fetched stretch of the imagination. Even a seemingly innocuous internet connection to an appliance in a hospital cafeteria can potentially allow a hacker to enter the hospital network and attack or disrupt susceptible medical devices connected to that network. In addition to the threat to patients, cyber-attacks are financially damaging as well: the average cost of a healthcare breach has been estimated at more than $2.2 million. Manufacturers should, in turn, anticipate and identify specific vulnerabilities that can directly impact these healthcare systems. Encouraging practices such as regularly updating security patches for medical devices and networks, as well as installing malware protection on hospital technologies to help keep intruders from targeting the most vulnerable points to steal patient data, can help to ensure that these systems remain secure.
In 2016, the FDA issued guidance that set forth basic security recommendations, including multifactor authentication, user access limits, strengthened passwords, layered authorization and breach detection procedures. While the FDA recommendations are advisory in nature, failure to adhere to them can potentially slow the FDA’s review of a medical device product’s premarket application or subject a manufacturer to sanctions for unsafe products entering into the U.S. market.
Moreover, the reason why some devices are at more risk than others depends greatly on manufacturer experience levels. As in most industries, the medical device industry contains a broad spectrum of security maturity across its community.
At one end of the spectrum, well-established and experienced product manufacturers have been dealing with security issues for many years, gaining strong insights into what they can do to improve their security posture. At the other, newer entrants into the medical device space, such as mobile medical apps, possess limited experience in medical development processes. They often struggle to understand the challenges of getting into a heavily regulated market, and sometimes security takes a backseat to other items on their priority lists to tackle.
However, device manufacturers don’t need to go it alone. Many third-party organizations are continually refining testing practices to help medical device manufacturers keep pace with ever-changing cybersecurity threats before their products are introduced into the market.
Using proven lab tests, such as known vulnerability scanning, malware scanning, static code analysis and more, helps device manufacturers to identify software vulnerabilities and weaknesses, address known malware issues, review security controls and increase their overall security awareness. In addition, they provide medical device manufacturers with a set of commonly accepted methods for demonstrating their security efforts to regulators, customers, investors and others.
With the market for interconnected healthcare systems and smart medical devices projected to reach nearly $58 billion annually by 2023, addressing the cybersecurity of these devices and systems should be of paramount concern for medical device manufacturers. By adhering to FDA recommendations and leveraging the expertise of proven cyber testing methods, manufacturers can tackle known cybersecurity issues today while also attempting to anticipate concerns that may lie ahead.