–Cybersecurity in medical devices has increasingly become a concern to healthcare providers, device manufacturers, regulators, and
patients. With the heavy push over the past several years to integrate medical devices into a hospital’s digital healthcare infrastructure, these devices have become exposed to the same security threats as any other IT component. It is only recently that manufacturers have begun to address the security threats to medical devices.
A Brief History of Medical Device Cybersecurity Issues:
- 2008: Pacemaker hack – Kevin Fu, UMass Amherst
- 2011: Insulin pump hack – Jerome Radcliffe, Black Hat Conference
- 2013: Discovery of a wide range of vulnerabilities across a variety of device types: Surgical and anesthesia devices, ventilators, infusion pumps, defibrillators, patient monitors, and laboratory equipment – Billy Rios, Security Researcher
- 2014: Multiple security alerts issued by ICS-CERT (Homeland Security / DHS), FBI, and FDA
- 2015: TrapX and Protiviti publish research demonstrating that medical devices are actively being exploited by cybercriminals as entry points for attacks on hospitals
- 2016: 16 Major hospital networks reported Ransomware attacks that used security deficiencies in medical devices as a gateway into each hospital’s IT infrastructure.
Government Cybersecurity Regulations: The increasing network integration of medical devices is leading to new patient safety risks. In October 2014, the FDA released industry guidance: Content of Premarket Submissions for Management of Cybersecurity in Medical Devices, followed in January 2016 by Postmarket Management of Cybersecurity in Medical Devices.
It is now widely accepted that Medical devices, like all interconnected technology, can be vulnerable to security breaches which may compromise the essential clinical performance of a device and potentially impact patient safety. But despite this acceptance, medical device manufacturers are being slow to implement protections. According to a recent survey, 43% of medical device manufacturers and 53% of HDOs do not conduct cybersecurity testing on their medical devices. Meanwhile, only 9% of device makers and 5% of HDOs conduct medical device testing at least once a year.