Health Standards

Healthcare & Technology Resources

  • Blog
  • Podcasts
  • #HITsm Chat
  • About
  • Authors

Medical device security: More questions than answers for healthcare CIOs

July 12, 2017 By David Chou 2 Comments

medical device security

Pacemakers that suddenly quit working; medication pumps that push too much or not enough dosage; electronic breaches that let bad guys prowl around undetected in your network so they can pillage confidential patient and financial data — these are the concerns that keep medical personnel, security experts, and the CIO awake. Though general medical digital safety and network security have been concerns for years, the healthcare industry increasingly is being warned of new vulnerabilities, especially the possibility that many medical technology devices – from radiation therapy machines to defibrillators – can be improperly accessed in our increasingly connected world.

While the average hacker may or may not be interested in the raw data from your average pacemaker, the greater concern is that they would have the ability to access this tech remotely and perhaps even take over its operation. This, combined with providers wanting to share electronic medical data with their staff and other specialists to improve patient care and provide faster response times, has created a dangerous combination of poor or non-existent hardware security and password policies. This lack of preparedness produces fears that a hack of one machine may lead intruders to the main network where they can cause real havoc.

Even though these concerns may sound like the stuff of sci-fi/health thrillers, medical professionals are beginning to take them seriously by looking at their own practices and encouraging manufacturers to include stronger protections in new tech and creating patches/fixes for what’s already available.

Missing from many of these discussions are government regulations or oversight, which some say would encourage the industry to take steps to ensure better security. Some envision a structure similar to HIPAA that affects everything from waiting room check-in sheets to how and when providers can discuss patient conditions with other caregivers.

Far from basic recommendations, HIPAA’s firm privacy/confidentiality rules include some serious teeth, including significant fines for both accidental and deliberate violations, plus disciplinary action at the corporate level.

In the case of medical technology security, however, the Food and Drug Administration has only issued lightweight, non-binding recommendations and leaves it up to the marketplace to create and enact security and safety standards.

The FDA’s “post-market management of cyber security” in December 2016 encouraged manufacturers to address cybersecurity throughout a product’s lifecycle, including design, development, production, distribution, deployment, and maintenance. Because more devices are becoming networked, one device has the ability to compromise the entire network.

These recommendations come two years after a FDA pre-market guidance document provided encouragement to shared stakeholders concerned about security. It encouraged manufacturers and medical providers to find ways to identify and protect their assets, but didn’t give any kind of firm road map.

Both documents emphasized proactively addressing security risks in medical devices and encouraged hospitals/healthcare facilities to continually evaluate their networks and machinery and look for vulnerabilities to protect.

The newest document showed that the FDA still wants reports about possible exploits and warned that it could potentially take action if companies deliberately fail to follow safety regulations in designing their medical technology, especially if someone is harmed. The new document also asks to be advised if manufacturers make significant improvements to their current or past technology, especially in items that can pose a risk of health or can’t be fixed within 60 days. The FDA stated it does not need to know about routine updates or patches.

The FDA followed the document up with a cybersecurity fact sheet that provides additional details about recommendations and clarified rumors about what its role should and shouldn’t be in future recommendations. It suggested that the best solution to medical device safety isn’t a top-down order from one government agency, but an informal coalition that includes everyone from individual physicians and patients to manufacturers and developers. The sheet suggested that the Department of Homeland Security have a role, especially if potential hackers could be part of larger criminal or international organizations trying to damage the country.

The FDA concluded that much of the responsibility starts with the hardware and software. The agency is encouraged that improvements are already taking place in their required Quality Safety Regulations.

Industry opinions range from supporting the FDA’s hands-off approach to those wishing the FDA could play a more active role in enforcement.

Focusing on patient health, or at least reducing risks of patient harm due to a compromised device, is a good place to start but does not make devices or networks more secure. It also doesn’t give guidance to questions of liability if a patient is harmed due to a device’s security flaws. If that were to occur, blame would be pointed at every involved party, including medical providers and manufacturers.

Overall, the need for cybersecurity of medical devices will continue to grow. Security tactics and hacker methods are evolving at the same time that networked, smart medical technology use is becoming mainstream. These factors will keep every CIO in the healthcare industry up at night.

Other Sources

As cyberthreats multiply, hackers now target medical devices, via CNBC

Medical devices a target for cyberattacks, but how serious is the threat? via StarTribune

The following two tabs change content below.
  • Bio
  • Latest Posts
My Twitter profile

David Chou

David Chou is a CIO, health IT thought leader, a “Top CIO to follow on Twitter," and keynote speaker. David is a regular contributor to Health Standards and frequently shares his views on health care technology in his Twitter feed.
My Twitter profile

Latest posts by David Chou (see all)

  • Healthcare gets into the merger/acquisition game - September 22, 2017
  • Patient-centered medical records with blockchain - August 9, 2017
  • Medical device security: More questions than answers for healthcare CIOs - July 12, 2017

Filed Under: 3 Tagged With: cybersecurity, medical device security

  • John

    Medtech consulting offers a wide range of analyses to help expedite the process to market approval and ensure the highest ROI for innovative technologies.

  • Zenservice

    Medical Billing and Management Services

    Zen services offered services Like Medical Billing Services, Patient Collection services and also the get SMS right before their appointment, reminding them to bring the balance to office.

    http://www.zenservices.net/about-zen-services

API White Paper

Connect

  • 
  • 
  • 
  • 
Tweets by @HealthStandards

#HITSM Chat

[#HITsm chat 11.18.16] Celebrate Passing the #HITsm Torch

November 15, 2016

Moderated by Chad Johnson, @OchoTex, HealthStandards.com Editor and Corepoint Health Senior Marketing Manager. November 18th will be the last #HITsm chat under @HealthStandards. Celebrate ‘Passing the #HITsm torch’ to @techguy @HealthcareScene.

Passing the #HITsm torch

November 10, 2016

The first #HITsm tweet chat was held almost six years ago on Jan 10, 2011. Since that time, we have hosted approximately 280 #HITsm chats. While some of you may have participated in that very first chat (only 15 actually participated), I’m proud to say that the chats and the community have continued to grow […]

View More #HITSM Chat >

Podcasts

‘Hactivist’ Fred Trotter on the Cancer Moonshot, open source data in healthcare, and more

August 3, 2016

Artificial intelligence is a topic that isn’t going away in the health IT and medical community. One reason it’s come as far as it has is thanks to open sourcing, or shared data. Today’s guest, Fred Trotter, has a lot to say about the Vice President’s Cancer Moonshot initiative – which he was recognized for […]

Sue Schade on gender equality, CIO challenges, and value-based healthcare

July 27, 2016

View More Podcasts >

Copyright © 2019 Health Standards. All Rights Reserved.