Technology and innovation have made a considerable impact on the medical device industry. These components often contain software. They can also connect to the internet, a hospital network, or a mobile phone. As a result, these devices can provide many benefits to patients and clinicians. However, with anything digital, there’s also a risk. Thus, medical device cybersecurity must be a priority for all stakeholders. It’s an even higher stake proposition, as vulnerabilities put patient lives at risk.

Unfortunately, there have been many medical device cyber-attacks, putting the safety of wearers in jeopardy. So, what are the best practices to mitigate risk and ensure security? This guide will answer that question and much more.

What Are Medical Devices?

First, let’s outline the scope of a medical device. The U.S. FDA (Food and Drug Administration) defines this broadly. It can be an “instrument, apparatus, implement, machine, contrivance, implant, in vitro reagent, or related article.”

In terms of cybersecurity and medical devices, the group narrows somewhat to include those with connectivity and software. It’s just like any other IoT (Internet of Things) or mobile device. There’s the potential for hacks and breaches.

The following devices are the most at risk, according to experts.

Pacemakers

Pacemakers are life-saving implants for those with cardiovascular disease. In addition to doing the job of supporting the heart, they also contain a lot of PHI (protected health information). They are attractive to hackers as a means to steal data and have inherent vulnerabilities as they connect to wireless networks.

Such a hack has not yet occurred, but the risk is real and relevant. An article on the World Economic Forum featured a patient who hacked her pacemaker to demonstrate the vulnerabilities.

Drug Infusion Pumps

These devices administer medications to patients and can be implanted during hospital stays or for more extended periods. They, too, rely upon wireless connectivity and can be easily hacked without the proper configurations and protections. A report disclosed that 75% of these pumps have cyber flaws. Those include leaking sensitive information, unauthorized access, and third-party vulnerabilities.

MRI Devices

MRI devices must integrate and connect to hospital networks to share images and data. As a result, they have become a target for hackers as a means of entry to spread ransomware. This type of attack occurred when a group called “Orangeworm” infiltrated MRI machines and had the ability to sabotage them. The incident impacted organizations on three continents.

Wearable Health Devices

Cybercriminals have a high interest in breaching wearables. These typically wouldn’t involve a risk to patient safety. It’s more about the valuable data these can contain. It might be on an individual basis or to access a wider system and gain control of other devices.

Cochlear Implants and Hearing Aids

Advanced cochlear implants and hearing aids have connectivity options. They typically connect to wireless networks and use Bluetooth technology. As a result, they are at risk of hacking.

How High Is the Risk?

Among all the devices, what’s the actual propensity for cyber-attacks? The FBI issued a report in conjunction with the AHA (American Hospital Association) noting an uptick in vulnerabilities due to unpatched medical devices on outdated software.

A report, The Insecurity of Connected Devices in Healthcare, confirmed these concerns. The findings revealed that over half of responding health systems suffered a cyber-attack in the past two years involving medical devices. The survey also found that only 21% of organizations described their medical device cybersecurity as mature.

It seems there is consensus that medical device security is a major issue that requires the focus of many stakeholders, with the FDA being the lead government agency on guidance. Let’s look at the role they play in managing the cybersecurity of medical devices.

The FDA’s Role in Medical Device Cybersecurity

As the FDA is the determiner of what a medical device is, it also serves as the regulatory body. The institution has released guidance on cybersecurity for medical devices and has worked in tangent with device manufacturers, hospitals, providers, patients, and other stakeholders. In addition, the FDA receives support from the CISA (U.S. Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency) and the U.S. Department of Commerce.

Much of its guidance on medical device security relates to monitoring and assessing cyber risks and vulnerabilities. In November 2022, the FDA updated the Medical Device Cybersecurity Regional Incident Preparedness and Response Playbook.

The resource is an aid for healthcare organizations, focusing on preparedness and response. It provides a framework for managing the cybersecurity of medical devices.

The FDA guidance also institutes six primary components of an SPDF (Secure Product Development Framework) to satisfy QSR (Quality System Regulations):

• Cybersecurity is an essential component of device safety and the QSR.
• Devices and their software should be secure by design.
• Transparency is key in the process. 
• Security risk management must be a priority.
• Security architecture is a vital part of threat management.
• Testing and objective evidence support should be part of cybersecurity practices.

These are excellent principles to consider as the foundation for your cybersecurity strategy. In building one, you must first identify and document risks and vulnerabilities. The best approach is to leverage three tenets in developing a risk management and security plan.

The Three Tenets of Medical Device Cybersecurity

In formalizing your cybersecurity strategy and plans for medical device safety, you can use these three tenets: governance, risk identification, and risk management.

Governance

The first segment relates to governing such a program. Within governance, there are several layers. First is organizational leadership. Who will lead efforts? It’s a security subject, so it would seem practical for this to fall under the purview of a CISO (Chief Information Security Officer), if applicable, or IT teams. However, they’ll need support from others in steering policy. They are cybersecurity experts but not medical or healthcare ones. So, it’s critical for there to be representation from all parties.

Next is the framework of guidance. The number one consideration is that this should be unique, as opposed to general cybersecurity measures. It should be device-specific. Within this framework, you also need to designate roles and how you’ll identify risks to patient safety, organizational infrastructure, and compliance requirements.

Risk Identification

Once a device is “online,” the risk of being compromised becomes evident. So, what are those risks?

• Electromagnetic interference, which is unwanted interference in an electrical path or circuit
• Untested or defective software and firmware, which can lead to bugs and backdoors for hackers
• Stolen or lost networked medical devices, which could fall into the wrong hands
• Unauthorized device setting changes, reprogramming, or infection via malware
• DDoS (Denial-of-service) attacks
• Targeting of mobile health devices to access patient data, monitoring systems, and implanted medical devices

In the category of vulnerabilities related to security and privacy, the risks include:

• Legacy systems no longer maintained
• Misconfigured networks or inadequate security practices
• Failing to install security software updates and patches
• Improper disposal of patient data, including test results or health records
• Uncontrolled distribution of passwords by employees
• Unauthorized disclosure or lack of patient data availability to providers
• Phishing attacks

It’s a long list, so it requires specific attention to how you’ll identify those most pressing and evaluate them for action. You can do this by:

• Hiring independent experts to audit your current security infrastructure
• Performing penetration testing to discern vulnerabilities
• Ensuring you have a complete inventory of devices connected to networks
• Documenting how protected data like PHI flows through a system, including how it’s stored, processed, or shared

Once you have a complete list of risks and have prioritized them, you can move to risk management.

Risk Management

You’ll never be able to eliminate all risks, so you have to do your best to manage them. This process covers the entire lifecycle of medical devices, including:

• Procurement: Institutions that purchase these devices for use in patient care should be discerning regarding manufacturers. Do your due diligence before buying.
• Risk-mitigating measures: Once devices are in use, it’s all about mitigation. Protocols need to be in place that match FDA guidance and compliance mandates. In this area, monitoring of networks and proactive updates are critical. Additionally, ongoing scanning of devices to determine any deficiencies in encryption, weak passwords, or broad access will be important.
• Decommissioning legacy systems: A legacy system connected to devices is a blind spot. If it’s no longer maintained, it becomes a weak link. Sunsetting these systems is a good move to mitigate risk.
• Network segregation: You may also choose to segregate the network where medical devices connect. It can reduce the chance of a breach, but it isn’t always possible due to costs, availability, or patient safety.

Medical Device Cybersecurity: Partner with Experts to Reduce Risk and Strengthen Security

All these tactics, strategies, and initiatives require time, resources, and investment. In many scenarios, organizations are constantly lagging because there are so many aspects of technology in healthcare.

You can remove some of this burden from your plate when you partner with a cyber firm with healthcare expertise. Trust the team at Blue Goat Cyber to provide you with an assessment or penetration test to see where gaps remain. Contact us today to get started.