Cyberattacks are increasingly common in the health care industry. As the number of networked medical devices increases, so does the urgency for makers of these devices to understand and mitigate threats to device security.
In an increasingly interconnected and digital world, more and more medical devices contain embedded computer systems, which can be vulnerable to security breaches that affect how these devices operate. In March 2019, the U.S. Food and Drug Administration (FDA) issued a warning about two security flaws affecting dozens of implantable cardioverter defibrillators.
Such warnings underscore the importance of a cybersecurity-minded approach to device development.
Cyberattacks can be initiated by the introduction of malware into the equipment or by unauthorized access to configuration settings and data—not only in the devices themselves, but also in the hospital or other networks to which they are connected.
Attacks on networked medical devices, and the data they collect and transmit, can be costly. Patient safety is a critical concern, especially with devices such as defibrillators and insulin pumps that could cause patient harm or death if they malfunction.
Hacking of data from networked devices can also reveal commercially valuable information, such as:
- Patient health data, which can be sold, used to run phishing schemes, or be combined with other mined data to facilitate identity theft
- Product performance data, which can be sold to competitors or manipulated to undermine the device maker’s safety and efficacy claims
- Data from other devices connected to the same network, which can have system-wide impacts
Judging the risk of an attack
There are a number of factors that contribute to cybersecurity risks in the medical device sector. These factors include:
- Use of off-the-shelf software
- Advances in the Internet of Things (IoT), which blur the lines between public and private data and make it easier for health information to be shared electronically
- Proliferation of wearable and at-home medical devices, as well as telehealth offerings
- Lack of a mandate for health care facilities to retire from use devices that are no longer supported by the manufacturer
- Limited collaboration between the makers of medical devices and the health care delivery organizations that implement those devices
Over the past few years, the FDA has been vocal about the need for increased cybersecurity for medical devices. Since the FDA published its first premarket cybersecurity guidance in 2014, the agency has issued two other guidance documents. In 2016, the FDA published a postmarket guidance, which provides recommendations on how manufacturers should respond to new cybersecurity threats for marketed devices. In October 2018, the FDA issued an updated draft premarket guidance that also includes some postmarket recommendations.