As if the headlines today are not scary enough, now we have to be worried – very worried, it seems – about medical device cybersecurity! Reports of hacking and other incidents related to medical device cybersecurity are all over the news lately. Not only does it have a financial impact, but confidentiality and HIPAA issues come up immediately! The first 6 months of 2017 have seen an inordinate number of cybersecurity meltdowns. In addition, other HIPAA breaches and data leaks occur much too often.
- In April 2017, hospitals in Europe were shut down by the WannaCry ransomware. At least two contrast agent injectors were compromised as part of that attack.
- In 2015, three hospitals suffered data breaches when devices were infected by malware. The devices included a blood gas analyzer and a picture archiving and communications system (PACS) system. In these instances, the malware made its way from the device to other systems in the hospitals, leaving the hospital facing a ransom demand to cleanse its systems. And this happened even though the hospitals had firewalls, intrusion detection and other security tools in place!
- In August 2017, the FDA approved a firmware patch to address cybersecurity vulnerabilities in 500,000 pacemakers manufactured by Abbott. The problems were identified over a year ago!
Why are medical devices vulnerable to cyber attacks?
Most of the time, the medical device cybersecurity flaws are due to external software such as Windows. Many devices have Windows operating systems as the interface to the persons operating the equipment. Windows is also used to interface with electronic health record systems. If the device is connected to the internet, a pathway exists for malware to infect the Windows software on the device. Malware can then make its way to other connected devices or applications.
But as the pacemaker issue mentioned above shows, there can also be vulnerabilities in the devices themselves. An investment firm lit a fire when it issued a report a year ago claiming most devices had little to no built-in cybersecurity measures.
What does the government advise about medical device cybersecurity?
Two government agencies are concerned about medical device cybersecurity. The Food and Drug Administration (FDA) has principally been concerned about patient safety. The Office of Civil Rights (OCR) of the Health and Human Services Department (HHS) administers the Privacy and Security HIPAA rules.
In its focus on patient safety, the FDA did not focus much on the HIPAA security issues related to medical device cybersecurity. The FDA expanded its view of medical device cybersecurity considerations with its Postmarket Management of Cybersecurity in Medical Devices guidance issued on December 28, 2016. This non-binding guidance advises device manufacturers to consider several strategies for reducing medical device cybersecurity risks.
- Maintaining robust software lifecycle processes that include monitoring third party software components for new vulnerabilities.
- Understanding, detecting and establishing communication processes with users when vulnerabilities are recognized.
- Adopting coordinated vulnerability disclosure policies and deploying mitigation measures that address risks.
The 4 things medical device users should do
First, ask vendors how they are implementing the FDA Postmarket Management Guidance. In this day and age, there is really no excuse for not keeping third party software like Windows up to date.
Second, expand the information you keep in your inventory of medical devices to include several factors, including:
- The risk of each device, e.g., use of third party software, connection to the internet, etc.
- The type of data kept on the device, whether it is static or dynamic.
- The security controls that exist on the device, e.g., encryption, use of passwords, etc.
Third, include medical devices with third party software in the periodic HIPAA Security Rule Risk Assessment you perform.
Fourth, keep a sharp eye out for communications about vulnerabilities of your medical devices – and for patches to firmware that can improve the resistance of devices to hacking.
Medical device cybersecurity is not a particularly glamorous issue, but paying attention to it is vital in this environment. Hospitals have long had to keep electrical/electronic equipment safe to use around patients. Cybersecurity is just another part of that culture of safety.