Is Medical Device Cybersecurity Improving Fast Enough?

by Terry Bryant

We are sad to report that, like our power grid, voting networks, and military IT, hospitals and other vital medical computing networks are now part of the growing list of our cyber infrastructure now clearly vulnerable to online attack.

Medical device security (or the lack of it) was recently highlighted by a research team from McAfee Cybersecurity. It hacked into a hospital’s central patient database in only a few seconds and modified vital patient data, such as vital signs and prescribed medication (along with modifying scheduled administration times).

There is a long-overdue modification coming to medical device cybersecurity. This was first announced in  June 2018 by the Food and Drug Administration (FDA), which is adopting UL 2900-2-1 as a new “consensus standard” for better software security in new devices. And though the majority of medical devices in current use in and of themselves work flawlessly, they aren’t designed to be connected to the Internet, where hackers could run rampant and not only compromise their functionality, but turn them into lethal weapons against vulnerable patients.

Readers may recall the flurry of news stories surrounding patient monitoring devices as recent targets of potential hacking threats, culminating with the April 2018 FDA report on the vulnerability of cardiac defibrillators (pacemakers). One of the most susceptible pacemaker manufacturers, Abbott Labs, had to issue a patch to fix security weaknesses for several of its models. Fortunately, the fixes were in place in time to avoid any hacker assaults.

Security experts have demonstrated as recently as August 2017 that some tested devices, such as infusion pumps and patient monitoring systems, had vulnerabilities which are relatively easy to exploit from remote locations. The medical industry, device manufacturers, and the FDA view these warnings with extreme concern.

Cyberattack threats are forcing hospitals and medical device manufacturers to take new measures to protect networked devices from hackers and also to consider replacement of relatively new devices – some as new as five years old – that don’t have enhanced cybersecurity built into them. The average cost of a successful cyberattack across all industries is $3.8 million, according to the July 2018 Cost of a Data Breach Study.

A way to mitigate cybersecurity risks which shows promise is to limit access to a networked medical device. One new patient monitoring system functions on a dedicated, yet isolated, network. This allows the device to function with no access to the larger hospital network, according to a spokeswoman for the manufacturer, GE Healthcare.

This network device proved to be impervious to the McAfee “assault” team, because it was not linked to the unencrypted networks McAfee targeted, thereby making it invulnerable to remote hacks, according to the GE spokeswoman.

Medical device manufacturers are banding together to address cybersecurity vulnerabilities, and to create an information sharing and analysis organization (ISAO) for their industry so they can compare notes on online security threats and vulnerabilities with each other. Still in development, the ISAO should be up and running by the end of 2018.

And though no evidence exists that any medical device has been externally targeted or hacked, even theoretical threats are taken seriously, by the FDA, device manufacturers, and their customers – the hospitals and healthcare providers. The fact that there’s an ongoing debate over how cybersecurity risk and liability should be shared by device manufacturers and end-user healthcare providers seems to be spurring both parties to unusually high diligence.

If you have questions about any medical device-related injury, the legal team of Terry Bryant Accident & Injury Law is at your service 24/7. Call us at the phone number at the top of this page or send your question to us anytime through the “contact us” link.