The Internet of Things (Iot), the continual proliferation of mobile medical devices, and the growing amount of data in hospital systems are trends medical device manufacturers should closely follow. Similarly, medical device manufacturers should track cybersecurity trends. Just last year the number of medical device cyber attacks on government systems grew to nearly 61,000*. Because lives are at stake when it comes to medical devices, the FDA has a strong interest in guiding manufacturers to help ensure safe medical devices in an increasingly interconnected world.
How can a hacker use a medical device?
Most hospital systems have advanced levels of protection. Medical devices on the other hand, can be a point of vulnerability. Would-be hackers may be able to find weaknesses in hospital systems using medical devices as entry points to the network.
The end game with hacking medical devices is typically not to harm patients, but to gain access to patient and research data. This information, in turn, could be used to steal valuable background patient information such as social security numbers or gain access to a hospital’s financial system.
Stolen data or access from key hospital operational systems can also be used to bribe or blackmail hospital administrators to pay a ransom – or else face dangerous system malfunctions that can harm patients. Another scenario involves a ‘silent assassination’: undetectable malware that takes control of a drug pump to inject a deadly dose of medication to a patient**.
What does the FDA say about medical device cybersecurity?
For the FDA, addressing medical device cybersecurity risks to lessen the threat of patient illness, injury, or death is a matter of shared responsibility: healthcare facilities, device manufacturers, providers, and patients must mitigate security threats together.
Here are three medical device cybersecurity concerns medical device manufacturers must consider:
- Each cybersecurity threat is unique, so no single approach can address every scenario.
- Connected medical devices (via wireless, wired, cellular, etc.) may not operate securely as intended leaving them vulnerable to hackers.
- The time it takes to get a medical device approved by the FDA can be lengthy, while cyber threats are constantly evolving.
In recent guidance, the FDA offers directives for medical device manufacturers, including developing “a set of cybersecurity controls to assure medical device cybersecurity and maintain medical device functionality and safety.” Example controls (where appropriate) include limiting access to users through authentication, automatic timed methods, stronger password protection, physical locks, and restricting firmware and software updates. The FDA guidance also recommends implementation of features that allow detection of security compromises, proper responses, and recovery of device reconfiguration***.
Utilizing design and development companies or in house experts that have cybersecurity experience, early in the development process, is of utmost importance. It is highly recommended that security safeguards be implemented during the medical device design stage to help ensure products released offer benefits that outweigh risks.
In today’s medical device world, people are looking to have their medical devices connected like it is with everything else they interact with. Cybersecurity safeguards need to be understood from a design and risk management perspective.
* CNN.com, “Government hacks and security breaches skyrocket,” December 19, 2014
** Engineering and Technology Magazine, “Comment: Tackling malware in medical equipment,” July 14, 2015
*** U.S. Department of Health and Human Services Food and Drug Administration, “Content of Premarket Submissions for Management of Cybersecurity in Medical Devices,” October 4, 2014