Security, Data Protection for Medical Devices: Healthcare Orgs Can’t Afford to Wait
Networked medical devices have great potential to improve patient outcomes. After all, devices that can signal healthcare professionals instantly when a risk or crisis occurs can save valuable time on the way to diagnosis and treatment.
Yet, whenever a medical device uses software that generates and/or displays sensitive data, the risk of cyberattack exists. Many medical devices use the same types of technologies used in other IT environments, which means they can be just as vulnerable to hacking as computers and mobile devices. This is more than conjecture. Researchers have proven it is possible to hack medical devices such as pacemakers and insulin pumps.
A cyberattack to any organization means downtime and the possibility of additional costs to restore damaged systems. But, healthcare organizations have added concerns of breaches that involve protected healthcare information (PHI) and system outages that can put lives at risk. Medical devices containing vulnerabilities may provide a hacker with a way into the healthcare organization’s network as a whole, enabling them to steal PHI or other data — or hold it for ransom.
The risks are real, but traditionally the government has categorized, and subsequently regulated, medical devices differently than other IT devices. In an important step toward extending IT security to include medical devices, the U.S. Food and Drug Administration (FDA) issued “Postmarket Management of Cybersecurity in Medical Devices” in December 2016, a set of nonbinding guidelines related to securing medical devices.
The FDA recommends that medical device manufacturers take the following security measures:
- Include a way to monitor and detect cybersecurity vulnerabilities in medical devices
- Assess the level of risk a vulnerability poses to patient safety
- Deploy software patches and other security risk mitigation measures as early as possible, before they can be exploited.
Additionally, the FDA recommends that medical device manufacturers work with cybersecurity professionals to learn about potential vulnerabilities. Suzanne Schwartz, the FDA’s associate director for science and strategic partnerships at the Center for Devices and Radiological Health, explains that this is known as a “coordinated vulnerability disclosure policy,” in which people who find vulnerabilities in devices disclose that information to the manufacturer or vendor.
The FDA also encourages medical device manufacturers to follow the National Institute of Standards and Technology’s (NIST) principles for improving critical infrastructure cybersecurity, including developing a core policy based on four tenants of cybersecurity: identify, protect, detect, and respond.
What Healthcare Organizations Can Do Now
It’s early in the timeline for standardizing the security of medical devices, but networked devices are in use in hospitals and other healthcare facilities today — and many devices have been developed without security measures that can protect them from cyberattacks.
Healthcare facilities must put security solutions in place, such as firewalls, antivirus, intrusion detection systems/intrusion prevention systems (IDS/IPS), and identity and access management (IAM) solutions. Segmentation should be used as an extra layer of protection for vital applications and sensitive data.
Although the responsibility for securing these devices falls to device manufacturers and regulations must come from the government, the responsibility for patient welfare falls to healthcare organizations. While many healthcare organizations may be aware of industry regulations and security in general — there is much less awareness when it comes to the security vulnerabilities that exist with medical devices. This is where IT solution providers can add significant value in educating healthcare customers and helping them protect these mission-critical assets — and their business reputations.