Updated October 26, 2024
The healthcare industry should be concerned about the threats posed by medical device cybersecurity.
In the past, patients’ biggest concern was that their personal data might be exposed to hackers and used for malicious purposes.
But that is not the only threat anymore. If hackers were to gain access to the network that controls medical devices such as infusion pumps, it would put every patient in the hospital at risk. This is one way to attack a large portion of the population in a vulnerable situation.
Hackers can threaten patients’ lives by tampering with their medical devices’ firmware and software, which could lead to serious injuries or death if not detected quickly. Most hospital staff members aren’t trained in cybersecurity measures.
Hackers may use stolen information, such as credit card numbers or Social Security numbers, from patients’ medical records for years to come if users don’t take immediate measures after being notified about a breach. (This wouldn’t happen unless there was some monitoring system in place.)
When an innocent person dies, the hospital suffers irreparable damage to its reputation and can be sued for wrongful death.
How can this happen?
One of the biggest threats to patient safety is that many medical devices still lack a security monitoring or alerting system—meaning hackers could pose a threat to patients’ lives without anyone knowing!
Patients question how safe they are in hospitals, and rightfully so: one hospital alone reported losing $1.4 million due to a cyberattack on its network. Hospitals can also be fined by federal and state governments, meaning taxpayers ultimately foot the bill for the cost of cyberattacks on hospitals.
It’s time for new standards protecting patients from physical and digital harm.
Is this a real possibility?
Medical device hacking is a very real possibility in today’s world. Our medical technologies have advanced so much, and hackers can use that technology against
In a bulletin issued last year, the Food and Drug Administration (FDA) warned that medical devices running on IPNet software were vulnerable to cyber-attacks by an unknown party. These devices—including drug infusion pumps, pacemakers, and other medical devices—are life-saving equipment!
This is a serious concern for patients, hospital staff, and administrators. But what can you do about that? The first step is to educate yourself on the issue by researching it carefully.
What can be hacked?
What attacks have occurred, and what are the real-life consequences of hacking medical devices? Understanding these factors is the first step in building resilient infrastructure and promoting medical device safety.
Things that hackers could gain access to are:
- Pacemakers
- Drug-infusion pumps
- Surgical robots
- Medical records, financial
Pacemakers
When it comes to medical device cybersecurity, pacemakers are at the top of the list. Why? Because a hacked pacemaker could kill you.
Not only that, but pacemakers also hold a lot of sensitive information about you and your family. So if they’re hacked, a hacker could get access to your personal health history—and use that information against you.
The problem is that these devices are often connected to wireless networks, which can be hacked through Wi-Fi and Bluetooth connections. While these attacks aren’t common yet, they’re still possible—and they could have devastating consequences for patients with implanted devices.
The FDA recalled nearly 500,000 pacemakers in 2017 due to security vulnerabilities.
At a 2018 Black Hat Convention, researchers demonstrated a way to exploit firmware vulnerabilities on specific pacemaker models and hack the system used to program these devices.
Although no fatalities have ever been reported, pacemakers are a very real vector for targeted attacks on individuals and could potentially result in death.
Drug Infusion Pumps
Drug infusion pumps are also vulnerable to medical device cybersecurity attacks because they’re connected to a network.
The FDA has recently issued a recall for drug-infusion pumps. These devices are very common in hospitals and other healthcare settings and are used to administer medicines to patients.
The recall is being conducted because security researchers have discovered that many of these pumps can be hacked. This means that someone without authorization could change the settings on a pump or even cause it to stop working altogether.
This is dangerous because it could result in patients receiving incorrect medicine dosages, which could lead to serious side effects or even death.
This is just one example of how medical device safety is becoming increasingly important as more devices come online and more people use them.
Surgical Robots
Surgical robots are some of the most advanced medical devices in the world, and they’re becoming increasingly common in hospitals. But what happens when those surgical robots are hacked?
It’s not just a hypothetical question—it’s a real concern for hospitals and their patients. If you’re a hospital administrator or healthcare professional who has implemented surgical robotics in your facility, you need to be aware of the cybersecurity risks involved with these devices.
Researchers at the University of Washington successfully hacked a telesurgery robot in 2015, manipulating the commands sent to it by intercepting communications between the machine and the surgeon.
As the telesurgery market expands, so does the risk of serious incidents. A cybersecurity breach could have devastating implications for patients and even result in death. Hospitals are more vulnerable than ever to cyberattacks, leaving them open to data breaches that could compromise sensitive patient information, putting everyone’s safety at risk.
Medical Records
Medical device hacking continues to be a major concern for medical device makers. Data security is one reason, but hackers are also expected to target medical records this year, which may include sensitive information such as passwords and Social Security numbers.
A survey by PwC found that the healthcare industry faces some of the highest risks from cyberattacks because it stores a large amount of data on patients, their families, and their providers.
Medical device safety is an important issue for companies that make medical devices, especially if they have access to patient data. Many devices used in hospitals are embedded systems, running legacy operating systems with known vulnerabilities. Hackers can exploit these flaws to access medical records and sell them on the black market.
In the wake of a data breach, gaining access to medical devices isn’t sufficient if there is no intent or method for using them. Medical device hacking is an opening for outside parties to access the network, and steal data across it.
On networks that do not implement rigorous scanning for connected devices, hackers can connect to medical devices when on-premise. Fully remote attacks often use phishing as a starting point instead—they send malicious messages in an email designed to steal their login credentials.
Medical records can be sold on the black market for 10 times more than credit card information, making them a lucrative target for cybercriminals.
What can be done to safeguard patient safety?
Hospitals should take the steps necessary to ensure their security is strengthened.
Examining the security vulnerabilities in medical devices, it is most evident that neither device manufacturers nor hospitals pay nearly enough attention to cybersecurity.
The most effective way to prevent medical device hacking is to implement security measures on the devices themselves. Hospitals should also educate patients on how to protect themselves from phishing attacks and other threats.
While cyberattacks on medical devices have been rare so far, they still pose a threat that hospitals must take seriously. The risk of a medical device being hacked is very real, and hospitals and patients must take steps to prevent this.
Medical devices run software systems that can be breached by hackers. The most common way hackers gain access is by exploiting vulnerabilities in the system’s code, which is often old and outdated.
Here’s what hospitals can do to protect themselves against medical device hacks:
1. Encrypt all data sent between devices, including patient data and remote access connections. This includes using strong encryption protocols that use unique session keys whenever they connect.
2. Use firewalls and other network security controls between networks that contain sensitive data and the internet.
3. Only authorized users (e.g., doctors) should be able to access hospital equipment remotely, using strong passwords and two-factor authentication where possible (e.g., using a password plus a one-time code).
4. Monitor logs for an unauthorized activity or unusual behavior from networked devices or computers connected to hospital equipment (e.g., an unexplained spike in traffic).
Report any security breaches. Hospitals are not required to report such attacks to the FDA, but when they do occur, the agency will investigate them and release a report about what happened and how it could have been prevented.
Medical device cybersecurity is a real threat—one that can have serious consequences for your hospital. That’s why it’s so important to have monitoring and alerting systems in place to detect unauthorized access, as well as an administrator or IT Officer who can oversee these systems and investigate security alerts.
The more prepared you are, the less likely a cyberattack will hit your hospital.