Medical Device Cybersecurity – The New Reality
Ransomware, malware, distributed denial of service attacks, Mirai – bad actors in a scary sci-fi thriller targeting your personal computer (PC), tablet or gaming device? Cyber attacks look for vulnerabilities in any system, not just your PC. Many sectors including credit cards, banking, government, retail and social media are objects of cyber attacks. The healthcare ecosphere, particularly medical devices, are a prime target of cyber bugs. In fact, healthcare is the number one industry when it comes to breach of data and generally lacks specialized security controls. Moreover, personal health information is 50 times more valuable on the black market than a credit card.
Ransomware, which block access to a computer or network until money is paid, are on the rise with 88 percent of attacks occurring in healthcare. Earlier this year, a California hospital paid $17,000 to cyber intruders to regain control of its electronic health network. Just last year, Anthem’s database of about 80 million people was also hacked.
Internet-connected medical devices, hospital networks, and other devices fall in the realm of Internet of Things (loT). Like computers, these connected devices can be hacked, potentially affecting the safety and effectiveness of the device and compromising patient privacy and safety.
In October 2016, J&J reported the potential for hackers to exploit a security susceptibility in the Animas® One Touch Ping® insulin pump. This could force the pump to deliver unauthorized insulin injections, leading to a possible insulin overdose, which can be life threatening. In August 2016, there were denied allegations about a possible dangerous cyber bug with one manufacturer’s cardiac devices. Last year, the FDA issued a few warnings about potential cyber bugs with Hospira’s (now Pfizer) infusion pumps. Despite these reports, the FDA is not aware of any cases where hackers have exploited cyber vulnerabilities to harm a patient.
In January 2016, the FDA made medical device cybersecurity a priority by issuing draft guidance for manufacturers. It provides direction to monitor, identify, and address cybersecurity vulnerabilities throughout the medical device lifecycle. This is largely a voluntary framework to aid manufacturers in building a scaffolded approach to minimize and mitigate risk.
Cyber attacks on medical devices are expected to grow and become more sophisticated as hackers continue to hone their craft. Threatened connected devices range from security cameras to coffee makers and from the federal government to medical devices such as MRIs, infusion and insulin pumps, and the list goes on. There is a proliferation of wearables and medical devices with software and programmable logic. When factoring in the evolution of electronic medical records and telehealth, regulators, medical device manufacturers, and health networks need to get savvier in order to provide solid security against this new reality.