Medical device companies have made huge strides in developing innovative medical instruments over the last few years. From remote insulin pumps to implantable cardiac defibrillators, these technologies have revolutionized the way patient care is delivered. Healthcare providers using these tools can track patient stats and adjust medication accordingly, thereby improving patient outcomes and experience.
A convenient, less-invasive approach sounds too good to be true, and it is. Medical devices are just as vulnerable as other computer systems to today’s sophisticated hackers, albeit riskier. A data breach at any level can cause detrimental damage to an organization from customer confidentiality and financial perspectives; indeed, data breaches have cost many companies their reputations, but also millions of dollars to regain control of their stolen data. With breaches of medical devices, however, there’s even more at stake: patient safety.
These devices are so prone to being compromised that a hacker can intercept a device and administer a fatal medication dose to a patient or access a hospital’s entire medical records system, using these devices as a point of entry. As such, these instruments become a tool for hackers around the world looking for a hefty income, and the wealthy ill-willed who hire them to hurt a prominent figure in the public sphere, for example, which could constitute an act of terrorism.
The risk has been so serious that the Food & Drug Administration (FDA), in partnership with the National Science Foundation (NSF) and the Department of Homeland Security, has been leading the conversation with stakeholders in the medical community, in the hopes of reinforcing and strengthening cybersecurity in the healthcare industry.
Now that we’ve established the gravity of the situation, what are some of the steps medical manufacturers should take to safeguard their devices, and hospitals to protect their patients?
Four Tips for Medical Device Manufacturers
- Ensure the devices you’re putting out in the market are built to the highest standards with cybersecurity in mind.
- Continuously monitor and assess a product you put out in the market – while it’s impossible to anticipate and eliminate every threat before a product is launched, it is expected you have a plan ready, in the event that you do need to activate it.
- Report to the FDA any cases where one of your devices may have caused or contributed to serious injury or fatality.
- Also report to the FDA malfunctions in any of your devices that could cause or contribute to serious injury or fatality, in the event that they recur.
Five Tips for Device Users
- When purchasing a medical device, ensure you’re asking a lot of questions about cybersecurity and expressing your concerns; this could help promote transparency, often lacking in the device manufacturing industry.
- Implement hard-to-hack security measures in your organization through encouraging and implementing stronger passwords, additional layers of ID verification, smart card systems, etc.
- Watch out for human error. Sometimes, hackers don’t bother going to the trouble of breaking a complicated system when they can crack an employee, and they’re getting really smart at it; this is called social engineering. This is why it’s more important than ever to ensure your internal communications and information security teams are working hand-in-hand to relay the seriousness of the threat and tips to avoid falling for phishing attacks and interacting with ‘online strangers.’
- Update, update, update! While it used to be the case that the FDA made it difficult for healthcare providers to implement updates on their systems, they’re now more lenient if these updates and patches enhance the security of medical devices, given the increased cybersecurity concerns in the industry.
- Report a fatality or serious injury to the FDA and the manufacturer, if you suspect it resulted from a medical device.
As medical devices are more connected and increasingly vulnerable, many are wondering if the risks outweigh the medical benefits. Indeed, the FDA does not approve the marketing of a device unless the opposite is true.
Medical devices are a part of your health information system and must be protected with the same level of security as any other IT system. Medical device security is critical because these devices expose your hospital or clinic to HIPAA security issues and potential health risks.
Extra care must be taken to protect these unique workstations, such as configuring securely, separating and isolating on the network, and regular auditing. Security should be part of the selection process when purchasing medical devices.