Medical devices used every day in healthcare remain vulnerable to hacking. From glucose monitors to imaging machines to infusion pumps, these are critical supports in patient care. Many of these are connected via the internet to other networks, whether to a nurses’ station or an electronic health records (EHR) system. With this convenience and connectedness comes risk though. If a medical device is hacked by a cyber criminal, it could cause a data breach, interrupt its function and endanger patient care.
Earlier this year, the Food and Drug Administration (FDA) published updated guidance regarding cybersecurity threats for medical devices because of growing concerns about their vulnerabilities. Depending on the device’s functionality, an attack on a medical device can cause a breach of PHI, incorrect health assessments, miscalculated medication dosages, and other potentially fatal outcomes.
While the new guidance is not mandatory, the FDA is continuing to move toward stricter standards for cybersecurity protections in medical devices. This guidance reveals the FDA’s “current thinking” on the topic and should be viewed as a strong recommendation for device manufacturers seeking FDA approval.
Connected Medical Devices are Often Outdated
The central problem is that many of these devices use outdated legacy software. They’ve been in use for many years and continue to work as intended but their security defects are not obvious to the everyday user. A device may need software patches or updates, or it may be so outdated that the manufacturer doesn’t even support it anymore. When an electronic medical device is not updated and supported it’s vulnerable to hacking.
The top four conclusions from a recent report from security company Armis asserts that:
- Almost 1 in 5 (19%) connected medical devices are running unsupported operating system versions, e.g., old versions of Windows.
- Nurse call systems are the riskiest connected medical device, with 39% of them having critical severity unpatched Common Vulnerabilities and Exposures (CVEs) and almost half (48%) having unpatched CVEs.
- Infusion pumps are second, with 27% having critical severity unpatched CVEs and 30% having unpatched CVEs.
- Medication dispensing systems are in third place, with 4% having critical severity unpatched CVEs, but 86% having unpatched CVEs. Moreover, 32% run on unsupported Windows versions.
In terms of traditional IoT (Internet of Things) devices, Armis found IP cameras, printers, and VoIP (Voice over Internet Protocol) devices to be among the riskiest devices in clinical environments.
Problem with Illumina Genetic Sequencing Software
One specific example arose recently. Eight days ago, the the Cybersecurity and Infrastructure Security Agency (CISA) and the Food and Drug Administration (FDA) issued public notifications to inform organizations about the vulnerabilities affecting the Universal Copy Service (UCS) component used by several of Illumina’s genetic sequencing instruments. These instruments are medical devices that may be used either for clinical diagnostic use in sequencing a person’s DNA for various genetic conditions or for research.
HIPAA Requires Cybersecurity Protection
Although the FDA guidance is not mandatory, HIPAA rules are. The HIPAA Security Rule requires covered entities and business associates to maintain secure transmission of protected health information (PHI). For electronic data maintained or transmitted on medical devices, this means keeping software up-to-date, patching software when required, and replacing devices that are no longer supported.
Understandably, this is a huge task for many organizations. But more can be done with a thorough HIPAA Risk Analysis, an inventory of all medical devices in use, and creating a Risk Management plan to harden security and shore up cybersecurity defense.