Although medical devices are a critical part of patient care, they continue to pose cybersecurity risks to patient care and system data. These devices often are connected to a healthcare provider’s network and other devices within the network system, enabling cybercriminals to threaten patient well-being, steal sensitive data, and introduce malware and ransomware into the entire healthcare organization. In 2019, healthcare organizations lost $4 billion to ransomware attacks and data breaches.
Guidelines for Manufacturers and Healthcare Delivery Organizations
The Food and Drug Administration (FDA) serves as a central clearinghouse on cyber threats related to medical devices. While recognizing that risks and threats to medical devices cannot be eliminated, the agency brings together manufacturers, hospitals, and healthcare providers to share information on cyber threats and coordinate efforts to manage cybersecurity risks.
The FDA has issued guidance and recommendations for both pre-market manufacturing and post-market management of cybersecurity in medical devices. For example:
- Medical device manufacturers are charged to be vigilant in identifying potential hazards and risks associated with their devices with particular emphasis on cybersecurity threats.
- Healthcare delivery organizations are directed to evaluate their network security to protect patients and hospital systems. The FDA notes that although no patient deaths have been attributed to date to compromised medical devices or systems, there is potential for cybercriminals to access and control medical devices that may lead to patient harm.
- Both medical device manufacturers and healthcare delivery organizations should put appropriate mitigating measures in place to ensure patient safety and the secure operation of medical devices.
Cybersecurity Vulnerability Testing Enabled
The FDA has partnered with MITRE Corporation, a Massachusetts-based nonprofit that managed federally funded research, to develop a medical device cybersecurity “sandbox” to enable security testing, research, and technical evaluation. The sandbox provides an environment for assessing potential vulnerabilities and possible mitigations that can be shared among medical device manufacturers, healthcare providers, and the FDA. It creates a simulation of the clinical environment to identify, assess and manage security vulnerabilities of medical devices to minimize potential impacts to device performance, patient safety, and threats to healthcare organization systems.
CyberMed Safety Analysis Board Proposed
Since 2018, the FDA has championed the creation of a CyberMed Safety Analysis Board (CYMSAB). This $70 million public-private partnership would integrate considerations for patient safety and the clinical environment into the assessment and analysis of cybersecurity vulnerability and risks to medical devices and incidents. CYMSAB is envisioned as a coordinated approach to cybersecurity that draws on the expertise of clinicians, healthcare providers, systems experts, and biomedical engineers from leading device manufacturers.
However, the FDA has received only a very small amount of funding to explore the implementation of CYMSAB. With other demands related to healthcare pressing the federal government, efforts to protect health delivery providers and patients from medical device cyberthreats may continue to progress slowly.
Heed Precautions to Ensure Patient Safety and Systems Security
Until the CYMSAB is established, healthcare providers should protect patients and sensitive data by taking appropriate steps to ensure strong security policies and practices are followed. This includes keeping software updated and ensuring security patches are made in a timely manner. All staff members should be regularly trained and tested on safe cybersecurity practices and policies related to phishing, password control, ransomware, and other threats.
If you have any questions about this topic, please contact DMJ.
J. Eric Panknin, CISSP, MCSE, Security+
As Manager of Technology Solutions for DMJPS, Eric Panknin, MCSE, CISSP, maintains DMJPS’ increasingly sophisticated technology network and addresses the firm’s strategic IT needs. In addition, Eric also consults with DMJPS clients on technology engagements that may include design, implementation, and support.
More posts