Medical devices are a glaring target for hackers. It’s not just hospitals that need to worry about the security of medical devices. Manufacturing companies are also taking note. These attacks could cause serious harm to patients, but healthcare companies have been slow to fix the problem. Now, FDA is getting involved.
The US Food and Drug Administration is gearing toward addressing the security risks associated with medical devices. The federal agency recently proposed a new set of rules for device manufacturers that would require them to implement security controls and create a plan to deal with any vulnerabilities of medical equipment.
These rules, which apply to medical devices sold in the US, are the first of their kind and will affect everything from defibrillators to insulin pumps and CT scanners.
This initiative comes after years of urging from security researchers who have proven time and time again that attackers can hack these products. Furthermore, journalists have repeatedly shown how easy it is to hack connected medical equipment, such as insulin pumps and pacemakers.
Why Health Systems are Subject to Many Cyberattacks
In addition to the security flaws in medical devices, several other factors make health systems especially susceptible to hacks. Here’s why health systems are such prime targets ripe for cyberattacks. Shifting from paper to digital records
The move from traditional to digital health records has made it easier for hackers to access sensitive patient data. Electronic health records contain valuable personal information, like social security numbers and birth dates. The sheer volume of electronic data makes it easy for hackers to hide their activity and cover their tracks. The need for real-time data
Health systems have little tolerance for downtime when accessing patients’ vital health data. The case is especially true in emergency rooms, where doctors often need to look at a patient’s history as soon as they arrive to make a quick diagnosis and determine whether they need surgery or another procedure.
They run on outdated software that you can’t update easily. And unlike other computer systems, medical devices can’t work offline without putting lives at risk.
Availability of options
It’s not only medical devices that pose a risk. Since health care networks are so large and complex with many different types of technology, there are plenty of other points at which an attacker could gain access and cause harm.
Lack of awareness
The healthcare industry is not a tech-oriented sector, and many administrators do not have cybersecurity knowledge.
Many health systems are short on funds, and they cannot afford to invest as much money in cybersecurity measures as they should.
As with the lack of resources, health systems can sometimes not keep up with the latest operating systems or other software versions.
Healthcare organizations often retain legacy systems from previous decades which are no longer used but still connected to the network. These older systems may contain vulnerabilities that hackers can exploit.
Many healthcare workers bring their own devices (BYODs) to work to cut down on costs. While this is convenient for the workers, it can increase the risk of a data breach.
Ineffective security measures
Even if healthcare organizations want to improve their security, they may not know which measures are most effective against their threats.
A Case for More Intense Overall Security in the Health Industry
Of late, numerous reported cases of medical devices depict entry points for cyberattacks against hospitals. In one incident, hackers shut down hospital technology systems by targeting an Internet-connected drug infusion pump. Like many other hospital devices, the pump had no other security measures beyond a default password. In another case, hackers locked down data on a hospital network and demanded thousands of dollars in bitcoin before they would release them.
A cybersecurity company that worked with the US Food and Drug Administration to assess the security of medical devices found that a shocking number of them were vulnerable to hacks.
Researchers reported that hackers could hack hospital infusion pumps to deliver dangerous amounts of drugs or even stop delivering medicine altogether. Cardiac devices have potential vulnerabilities that could let hackers access patients’ records.
How Health Systems Minimize Cyberattacks
The FDA recommends measures aimed at helping medical device companies better protect their products against hackers. There are three critical elements to the guidance:
First, device makers should consider cyber risks during the development process;
Second, they should follow specific steps to ensure products are protected. Data theft, ransomware attacks, and viruses are among the most common threats to healthcare organizations. The best way to fight against cybersecurity risks is to use a VPN, as using a VPN hides your IP address, making it impossible for hackers to lay their hands on sensitive information. Healthcare systems are hotcake for cybercriminals, and security is paramount. VPN encrypts their internet connection and provides a challenge to hackers.
Third, they should update devices post-market when consumers use them if vulnerabilities are evident.
The FDA has been aware of the cybersecurity issues with medical devices for some time but took a backseat to other concerns like device effectiveness and safety.
The US government’s approach to medical device cybersecurity is reactive. It flags vulnerabilities as they arise and attempts to get manufacturers to fix them.