Last week, The Food and Drug Administration released draft guidance on hospital networks and medical device security. The guidance comes at a time when both are increasingly coming under attack, creating a need for greater focus on cybersecurity to protect patient data.
Up to this point most security problems experienced at hospitals have been internal, to which the Department of Health and Human Services’ Wall of Shame will attest. The majority of security breaches reported to the agency have resulted from lost devices or other employee mistakes, not hackers or malware.
But providers are growing increasingly concerned about malicious attacks, and nowhere is this concern more justified than in the area of medical devices, whose simpler operating systems are more vulnerable to break-ins. No doubt it can be a major problem if a hacker makes off with a collection of patient records, but financial or reputational harm are typically the worst consequences. Patients’ lives are literally at stake when you talk about medical devices.
There is good reason for providers to worry those medical devices may be the target of malicious attacks. The FDA’s draft guidance notes that the agency has received reports of medical devices disabled or infected by malware. Furthermore, regulators said that some devices that are not yet infected could be, warning of security vulnerabilities in both new and legacy off-the-shelf devices that increase the risk of infection.
More targeted attacks are also possible. At the 2011 Black Hat security conference, IBM cyberthreat security analyst Jay Radcliffe displayed how easy it is to hack into an insulin pump and turn control of the device over to a third party. And fans of HBO’s Homeland series are familiar with the scenario in which terrorists assassinate the vice president by hacking into his pacemaker and accelerating his heartbeat. Experts say this plotline is completely plausible. The NBC Sherlock Holmes update Elementary also recently featured a similar plotline, except with the hacker electrocuting the victim by overloading his pacemaker.
Given the threats that exist and the severe consequences that can ensue, it is time for the industry to start taking medical device security seriously. The FDA’s draft guidance may help start that conversation.