3 Cybersecurity Risks with Medical Device
Cybersecurity has moved to the front and center of safety discussions in every industry. Governments are concerned about cybersecurity in terms of election tampering. Firms in the legal industry are worried about the threat of cyber security on client confidentiality. Then there’s the financial sector’s responsibility for safekeeping financial records, the manufacturing sector’s desire to maintain trade secrets, and of course the healthcare sector.
Those in the medical industry have numerous worries when it comes to medical device cybersecurity. There are patient records and interferences with the delivery of essential supplies. Recently, however, one of the hottest cybersecurity topics has been in regards to the medical device space.
The Cybersecurity Of Medical Devices
A number of movies, books, and TV shows have highlighted the possibility of medical device tampering. The villain of the story will hack into their target’s medical device—usually a pacemaker. They will speed it up, slow it down, shock it, or even just drain its battery. And while there has never been a documented case of a computer attack on a medical device, it could easily happen.
Security researchers have regularly started finding vulnerabilities in medical devices that leave them open to hacking attempts. There have also been multiple ransomware attacks on hospitals that have shut down their computers. These types of attacks could easily translate into attacks on devices given the fact that implantable pacemakers communicate wirelessly with doctors’ handheld devices and infusion pumps are connected to hospitals’ IT networks.
From the FDA’s side, the agency has been aware of this concern for several years and have actively taken steps to address it. These steps include launching a Cybersecurity Working Group, publishing rules for medical device cybersecurity, and adjusting their process to more thoroughly vet medical devices for cybersecurity readiness.
With hacks and cyber attacks happening every day around the globe, and some of them targeting hospitals and the healthcare industry, biomedical engineers, device manufacturers, and healthcare organizations need to adjust their practices.
The Potential Cyber Security Risks
In order for the biomedical engineers to develop medical devices that can fend off cyber attacks, they must be aware of the risks that networked medical devices currently face. While engineers can not completely prevent these threats from actually occurring, they can build devices with more effective defense systems.
The following provides a look at the biggest risks that networked medical devices face:
- Unauthorized access to implanted medical devices, device monitoring systems, and patient data through wireless technology.
- Electromagnetic interference.
- Denial-of-service attacks.
- The use of malware to infect, reprogram, or alter device settings.
- The loss or theft of portable or external networked medical devices.
While safeguards can be implemented to reduce the likelihood of incidents such as DoS attacks and malware infections, none of the previously mentioned risks can be totally prevented by biomedical engineers and medical device manufacturers. The following risks, though, are security and privacy vulnerabilities that hospitals, medical practitioners, and patients can work together in an effort to thwart:
- Firmware and software that is defective or has not been fully tested.
- The use of spear phishing attacks, spyware, malware, or network transfer (i.e. file transfer, email, or remote access channel) to steal data, destroy data, manipulate data, disclose data without authorization, or prevent data from being available to providers.
- Weak security practices.
- Misconfigured networks.
- Poor control over password distribution, hard-coded passwords, or disabled passwords.
- Failure to update medical devices with security software patches from the manufacturer.
- Weak disposal protocol for patient information and data (i.e. health records, test results, etc).
Potential Cybersecurity Threats
It is important to differentiate between the risks and threats that medical devices currently face. A risk is what can happen or the damage that can be caused. A threat is the person, entity, or thing that creates the risk. So while the risk might be denial-of-service attacks, the threat could be hackers who are trying to force the medical device to fail. The following are the potential threats that medical devices face:
- Malware that is not directly targeting medical devices, but is able to bypass antivirus engines and rules.
- Anonymous individuals (a.k.a hacktivists) with a goal of interrupting service.
- Individuals or groups with malicious intent to harm specific patients or damage a healthcare brand.
- Individuals or groups who want to make money from the sale of patient health records, defraud Medicaid or Medicare, steal patient identities, or engage in financial fraud.
How To Approach Medical Device Cybersecurity
The risks and threats that medical devices face are clear. And while there has yet to be an intentional attack on a device, the capability is there and so are the vulnerabilities. Therefore, it is the responsibility of biomedical engineers, medical device manufacturers, and hospitals to create comprehensive medical device cybersecurity measures that will prioritize patient safety. The following dives into a few steps that can be taken:
When it comes to cyber attack prevention, the first place to start is effective governance. Hospitals and healthcare organizations must develop, implement, and monitor risk management procedures and policies that address medical device security. In order to develop these procedures and policies, healthcare organizations should create a risk assessment—the ISO/IEC 80001 is a helpful framework for this.
They should also participate in industry initiatives that help to establish security standards. Two examples of such organizations are the Association for the Advancement of Medical Instrumentation and the Medical Devices Innovation Safety And Security Consortium.
2. Risk Identification
In order to effectively govern the organization and develop the right policies and procedures, healthcare providers need to identify current and emerging risks and threats to medical devices. This means that all devices should go through a standard evaluation process and there should be an ongoing risk identification procedure.
3. Risk Management
The risk management aspect of medical device cybersecurity must include all of the following:
- A regulated method for data flow and transmission.
- Inventory management.
- Security-specific procurement requirements.
- Software update procedures.
- Safeguards to protect against device failure.
- Physical safeguards for preventing damage and theft.
Even though medical devices have yet to become targets of cyber attacks, healthcare providers need to be prepared for this possibility. Understanding the risks and threats, as well as implementing strong governance, risk identification, and risk management is non-negotiable.