In light of increasing cyber-threats over the past several years, governments, industries and individuals all over the world are turning their sights toward improving cybersecurity. Regulations are expanding to cover everything from reducing financial fraud to protecting medical devices.
In 2021, roughly 32M Americans relied on implanted medical devices. The U.S. made up nearly half of medical device sales worldwide. For a long while now, it’s been high time that regulations spring up to protect the cybersecurity of those who rely on these tools.
Wait…Medical Devices Need Cybersecurity?
It may not seem like these carry much risk of an attack. Truthfully, however, there’s a whole trove of weak points in our current approach to protecting medical devices.
The FDA recommends certain best practices to the production companies, but that leaves them largely to their own devices (no pun intended) when it comes to consistency and repeatably. Standardization makes collaboration, and building off of others’ good ideas, much simpler. That’s a plus for businesses, but it’s great for the users of these devices, too. Furthermore, using the same rulebook ensures that every machine is built, and regularly updated, with the most current soft- and hardware available.
The healthcare professionals who recommend and help operate these tools need access to the information stored therein. Software as a Medical Device (SaMD) has become more and more commonplace in households and hospitals alike. Data breaches, and the risk of one, makes these devices more expensive for the user to obtain and more dangerous to use. That’s why more regulation is needed to secure these devices from outside threats.
Cyber Attacks Targeting YOUR Devices
Think of the state of prosthetics thirty years ago compared to what experts can design now. Now consider that all of medical technology has advanced this much in the past few decades, and you can only imagine the kind of developments that have been birthed.
Cybercriminals have been taking an interest, too.
- Implanted Cardioverter Defibrillators have been hacked to read the PHI written there, or even controlled to affect its ability to detect and stop arrhythmias
- The wireless monitoring capability of insulin pumps can be affected to produce incorrect readings, which can be life-threatening to a diabetic
- Devices connected to the hospital network are a vulnerability that hackers will try to exploit to gain access to PHI
- If one of the weak points in your SaDMs is breached, it may result in devices shutting off or otherwise malfunctioning
- Your PHI is worth a lot of money on the Dark Web; unauthorized access to it can have a domino effect that leaves you at risk for identity theft
Whether to find out patient information, avoid paying for features, harm the user, replicate patented features or simply to figure out how it works, unpatched vulnerabilities in implanted medical devices are life and death risks for the users to take on. In any case, they have very few alternatives to work with.
What Kinds of Protections Do We Need?
Recently, the FDA has drafted guidance and regulations to improve medical device cybersecurity. This includes transparency, better security baked into the design itself, risk management and improved testing to make sure the devices work as safely as expected. A secure source code and better configurations will also regularly root out vulnerabilities in the devices so software can be patched and updated accordingly.
Upgrades to SaMDs not only provide more accurate data to healthcare professionals, but better protect the anonymity of and improve the usability for the people relying on them. More importantly, these regulations and future guidelines that come out will keep them safer from having their life-saving devices tampered with or shut down completely.
Conclusion
Unlike your personal computer, cybersecurity in medical devices isn’t as simple as using a complex password to hide your identity. Bettering the cyber-defenses of these critical health devices must go all the way back to the production phase.
The Draft Guidance of “Cybersecurity in Medical Devices” released by the FDA in April 2022 is a big step forward for those who make and rely on medical devices in America. As more attention turns toward cybersecurity in general, a baseline of privacy and security will infuse into every industry that relies on digital technology. This is great news for consumers, especially when they rely on these devices as strongly as the medical community does.
Follow our blog to stay up to date with the latest in cybersecurity news and technology!
References
- https://www.healthcareinfosecurity.com/interviews/regulatory-moves-that-could-improve-medical-device-security-i-5026?rf=2022-02-19
- https://www.theregreview.org/2021/10/27/salazar-addressing-medical-device-safety-crisis/
- https://www.meddeviceonline.com/doc/fda-releases-guidance-on-cybersecurity-in-medical-devices-0001
- https://www.fda.gov/medical-devices/digital-health-center-excellence/cybersecurity
- https://starfishmedical.com/blog/hacking-medical-devices/
- https://www.mayoclinic.org/tests-procedures/implantable-cardioverter-defibrillators/about/pac-20384692
- https://venturebeat.com/2011/08/04/excuse-me-while-i-turn-off-your-insulin-pump/
- https://www.promenadesoftware.com/blog/why-cybersecurity-is-becoming-more-important-in-medical-device-1