The federal government reported that in 2016 the healthcare industry experienced 106 hacker-attributed data breaches. Around $2.8 billion was spent on cleaning up hacking incidents. Nowadays medical devices are connected to the internet (and therefore are prone to cyberattacks) but are they keeping pace with cybersecurity developments?
The issue was first brought up when potential security vulnerabilities in St. Jude’s pacemakers and defibrillators were discovered. To read more on the controversy of St. Jude’s medical devices, go here. The FDA investigated the vulnerabilities and issued a Safety Communication confirming vulnerabilities of St. Jude’s cardiac devices. Shortly after, Johnson & Johnson started to warn its patients about a cyber vulnerability of its older model insulin pump, which could potentially be hacked and cause injury or death to patients (overdose).
The hacking potential is huge in the medical devices field. Not only we are talking about hacking individual devices that can cause harm or death to patients but also accessing hospital networks through them. And hospital databases have been a lucrative target for hackers. TrapX – a cybersecurity defense firm – released a report describing how hackers can gain access to hospital networks through medical devices (and how they can hack a hospital drug pump to modify the amount of medical to a fatal dose!).
Healthcare providers selling, maintaining, or working in any way with medical devices must be aware of the potential risks associated with cybersecurity. Potential breaches can cause millions to clean up (including ransoms in bitcoins), injuries to patients (read: potential suits against providers), and reputational harm.
The FDA issued guidance on cybersecurity in medical devices. Accessible here.
The FTC also issued guidance on best practices in preventing cybersecurity breach in medical devices. You may access here.