In the world of medical devices, concern over cybersecurity is on the rise. So much so that the FDA recently sent out a warning to patients using a popular insulin pump due to concerns that the device could easily be breached. As a result, the manufacturer issued a voluntary recall.

Anxiety over a possible breach of this device system is evident in the FDA’s action, which was essentially a preventative measure. “While we are not aware of patients who may have been harmed by this particular cybersecurity vulnerability, the risk of patient harm, if such a vulnerability were left unaddressed, is significant”. This came from Suzanne Schwartz, M.D., deputy director of the FDA’s office of strategic partnerships and technology innovation.

The FDA’s concern is understandable when you look at the risk. Insulin pump settings can be hacked, with insulin levels raised or lowered to a dangerous degree. Not only that, any medical device connected to a network, either through WiFi or the Internet, is vulnerable to theft of Personally Identifiable Information (PII) and Protected Health Information (PHI).

Also in the works — the U.S. Food and Drug Administration is issuing a safety communication to providers and patients about the vulnerabilities of a wireless telemetry protocol used for communication between implantable cardiac devices, clinic programmers and home monitors. Surprisingly, as of March 2019, the wireless telemetry protocol does not use encryption, authentication, or authorization, so critical to preventing unauthorized access.

The FDA has urged manufacturers to be vigilant about their products, and companies should take steps to monitor cybersecurity vulnerabilities and be transparent about potential threats and what they’re doing to address them.

The healthcare Industry is taking heat and taking notice

  • According to a 2018 HIMSS survey, 84% of respondents were increasing their budgets to mitigate cyber threats
  • More than 75% of organizations surveyed experienced a cybersecurity incident within the past 12 months
  • Stakeholders that experience the threat were able to identify its source. These include:
    • 37% scam artists; phishing
    • 20% negligent insiders who made mistakes and caused a data breach
    • 20% hackers; cyber criminals, script kitties or other bad actors
  • 62% report that the initial hack came through a phishing email
  • 41% of cyber-attacks discovered by internal security team
  • 28% of attacks are discovered by employees who are not part of security
  • 47% of hacks discovered in less than 24 hours

In January 2019 the Joint Security Plan (JSP) was put in place to help medical device stakeholders address cybersecurity risks and challenges when securing and protecting itself against incidents, both intentional and unintentional. The report was motivated by several key statistics:

  • 95% of healthcare institutions report they were targeted for some form of cyber attack
  • Security breaches cost the healthcare industry $5.5 billion every year

Compounding the problem is the lack of qualified security professionals. There are over 7,000 device manufacturers challenged with finding security workers, and approximately 80% of device manufacturers have fewer than 50 employees. They are in need of guidelines and support for cybersecurity.

Today’s complex connected medical devices and future advances

In 2019, the JSP reported a 62% increase in the number of connected medical devices over the last 5 years, and this increase is expected to accelerate. The Food & Drug Administration (FDA) reports that both devices and information databases are increasingly connected through the Internet and internal provider networks — access that improves healthcare and the speed of that care. Unfortunately, these features also increase the risk of cybersecurity threats.

While medical device connectivity gets much publicity, the Internet is used to enter and access patient files and current data. Many doctor’s offices and insurance companies no longer utilize direct contact or telephone service. Patients today access an ID / password protected “patient portal” for appointments, test results, referrals, sensitive medical information and records, doctor contact and notes, drug refills, often including payment methods. All this information may be vulnerable to hacking and theft.

It’s not just patient information that can be impacted. As pharma and biotech companies continue to store more valuable data, their cyber security practices become potentially vulnerable. Finally, the cyber security threat is not just external. Internal threats are very real, making the use of complex sign-on, authorization protocols and access / usage tracking critical.

Looking to the future.

Greater rewards and risks come with the launch of 5G networks in the medical industry. Development of connected devices and files through the application of the Internet of Things (IoT) will make cybersecurity important. The blazing speed of 5G is driving technology to instantly connect medical devices with a basic on and off switch via the Internet. This will allow for the capture and monitoring of data on devices that are connected to the cloud.

The speed of 5G networks will also impact remote health monitoring and telemedicine, a market that is expected to grow at 16% annually through 2023. Transmitting medical images from MRIs, CT scans and other imaging systems demands significant bandwidth that is easy to manage with 5G technology. One of the most talked about uses of 5G is remote. Recently, a patient in China underwent the country’s first remote surgery on a human brain using a 5G network. The doctor operated via hand controllers in Hainan, while the patient was 1,864 miles away in Beijing.

As the speed of technology increases, it makes possible the advancement of practices supported by that technology. So how will device manufacturing, data and patients be protected from cyber thieves?

Attacks on complex, connected systems and Internet security

Today the sophistication of malware continues to match the growth and complexity of Internet connectivity. For example, MEDJACK, a malware virus, compromised three healthcare systems through medical devices such as x-ray machines, blood gas analyzers and diagnostic equipment. In 2017, a leading pharmaceutical company was one of many targeted by a ransomware attack known as “WannaCry.” Reuters reported that this attack “disrupted production of several medicines and vaccines,” at a high cost to the company.

Medical devices and networks can be hacked in many ways. Malware can access and gather private data, allowing hackers to take control of connected systems. It’s important to maintain and update operating systems, firmware and application software. Given the complexity of these systems and the connected equipment used in manufacturing, hospitals and doctor’s offices, operating and application technology is often not user serviceable. It may run out-of-date application and protection software or firmware. Expert software support is generally required. Devices or networks with out-of-date operating technology leave computer systems, server farms and connected devices vulnerable to cyber-attacks.

It’s important to note that tools such as virus protection software may be unsuitable for manufacturing systems, because machines operate over long periods, and anti-virus software that runs in the background could cause the manufacturing process to shut down. Access to manufacturing systems should be restricted as much as possible through a robust authorization process. Hardware and software protection will require several levels of username / biometric and password acceptance. Uncontrolled devices or networks that lack enhanced security make it easier to steal data.

A cybersecurity framework from National Institute of Standards and Technology (NIST)

To help medical stakeholders better understand the exposure to risk, the NIST recommends taking the following steps:

  • Identify: educate people throughout the organization so that they can recognize risks to systems (a key part of authorization)
  • Protect: enact safeguards that protect critical infrastructure services
  • Detect: implement activities to identify cybersecurity events
  • Recover: Instill plans that ready your facility for and make it possible to restore devices or networks that were compromised due to a cyber attack