The U.S. Food and Drug Administration (FDA), which is responsible for guidance on medical devices, has acknowledged that certain devices are susceptible to breaches. The FDA has identified cybersecurity vulnerabilities in medical devices that could allow unauthorized users to not only access patient information, but also to control the device. The FDA’s oversight comes at a critical time, as hospitals are increasing the amount of network-connected medical devices used in the delivery of care. With the ongoing changes in healthcare technology, many providers remain unaware that medical devices pose a unique and serious cybersecurity risk to patient safety and data privacy.
Today, thousands of medical devices – dialysis machines, ventilators, medication dispensers, and patient monitors – are not only connected to provider networks, but incorporate wireless capabilities for remote access. Such access may be exploited by outside parties seeking to breach the security protocols established by a network or provider. Furthermore, the lifeblood of medical devices are their operating systems and software, which makes them vulnerable to breaches due to malware, worms, trojans, phishing schemes and the like.
The rising risks, threats, and inherent vulnerabilities have been documented. On July 31, 2015, the FDA issued a warning to hospitals and health systems regarding an infusion pump. The warning indicated the vulnerabilities in the pumps could enable an unauthorized user to control the pump, compromising dosage settings to life-threatening levels. While not aware of any adverse patient events at that time, the FDA discouraged hospitals from buying these pumps on the secondary market.
These problems are not new. In 2013, the FDA published recommendations for health systems to implement as safeguards for reducing cybersecurity breaches. The guidance pointed out that software and network connectivity increased cybersecurity risks.
The Office of the Inspector General (OIG) also is aware of these issues. An initiative in the OIG’s 2016 Work Plan is to examine whether the FDA’s current oversight of networked medical devices adequately protect patient health and data. The initiative is in response to the “growing threat” medical devices pose to patient safety and the privacy of health information. A report of the OIG’s findings is expected to be published at the end of 2016.
The oversight by the FDA and OIG in the healthcare industry, underscore the potential life-threatening perils that could arise from cybersecurity breaches involving medical devices. So what is the plan going forward? Organizations should apply enterprise-wide protections to mitigate breaches and enhance the safety of medical devices. Those strategies would include:
- Understanding your organization’s cybersecurity risks by reviewing medical devices, operating systems, and authorized users
- Implementing/updating medical device management policies
- Establishing security risk assessments for medical devices
- Evaluating network security (e.g., restrict access, monitor activity, maintain and update antivirus software)
- Encrypting data
In conclusion, as more devices reside on provider networks, it is only a matter of time before the vulnerabilities found within such devices are tested. Providers should not require a breach as a prerequisite for implementing medical device safety measures, but instead should work vigilantly within their organizations, and with medical device manufacturers, to maintain the cybersecurity of their instrumentation. The FDA’s warning regarding fusion pumps should provide a wake-up call that the inherent vulnerabilities of medical devices are now, well, a matter of life or death.
For any questions about this blog, please contact the authors.