Cybersecurity and Hacked Medical Devices

View all blog posts under Articles | View all blog posts under Online Master's in Health Law and Policy

Cybersecurity and Hacked Medical Devices

In 2015, there were two major cybersecurity breaches that resulted in compromising the security of over 80 million medical records. The breach of the UCLA Health System may have compromised as many as 4.5 million records, and that of the health insurer Anthem Inc. gained access to a server that contained 78.8 million health records, though it’s not known how many were actually compromised.

With incidents like these, experts are worried about the possibility of medical devices—from pacemakers to mobile apps—being hacked as well. This could be potentially fatal for people who rely on these devices, which are vulnerable to attack because they’re networked via the internet to all sorts of other devices. In fact, pacemakers and insulin pumps have been hacked for the purposes of demonstrating security risk.

It’s hard to see how this kind of hacking would be lucrative. Hackers often access information to ransom it, but attacking somebody’s medical device directly wouldn’t seem profitable. However, this doesn’t dissipate the fear that it might happen, and experts are working on ways to make these devices more secure from cybersecurity threats.

Identifying Vulnerabilities

The increasing integration of medical devices into networks has streamlined many facets of medical care, yet leaves these devices vulnerable to cybersecurity threats. Attacks attempting to exploit the vulnerabilities of networked devices often focus on web servers, database servers, or application software.

Web servers: Web servers provide an interface through which to configure and interact with other devices. However, web services often contain readily-exploitable vulnerabilities. Freely available hacking tools can scan web interfaces and display vulnerabilities that can be used by an attacker.

Database servers: Often, systems and devices store data for their use on a database. These databases run a coding language called a structured query language (SQL), which is vulnerable to a very serious attack called an SQL injection, which could potentially be used to simply delete all information from the database.

Application software: Any software running on a device could have potential vulnerabilities where it has not been subject to rigorous software vulnerability testing.

Best Practices for Preventing Cyber Attacks

Manufacturers of medical devices are being encouraged to implement comprehensive cybersecurity improvement processes. These include preventative security measures and risk management. The interoperability of multiple networked devices creates problems for securing these connections, especially with the diversity of devices and software in question. However, certain techniques are indispensable for securing these connections and preventing security breaches.

For instance, information and notification feedback loops should be created between health care providers and medical device manufacturers. Also, regular network and access monitoring where medical devices are used should be customary and reportable to various levels of the organization. Moreover, risk management is essential, and includes documenting data flows regarding networked medical devices, ensuring their appropriate security, and implementing procedures that identify security vulnerabilities at each stage of the process.

However, there are challenges posed by these techniques with regards to medical devices. For instance, network scanning tools, used to identify vulnerabilities and calculate risk in order to secure networks, do not recognize medical devices. Additionally, cybersecurity specialists need physical access to medical devices in order to test them and evaluate security risk. Proper collaboration is needed between medical device vendors and their customers in the health care system in order to implement the correct procedures, which may call for greater regulation.

Regulations

On January 22, 2016, the Food and Drug Administration (FDA) released guidelines for managing cybersecurity in medical devices. These guidelines could be incorporated into future legislation. Regulations on the books have already addressed some of the issues discussed above.

The FDA Safety and Innovation Act gives the FDA the authority to collect user fees from the medical device industry in order to expedite the review and approval of consumer products, including medical devices. Additionally, it intends to promote innovation by streamlining the development and approval process for medical devices and drugs that show great promise in preliminary clinical evidence.

The Health Insurance Portability and Accountability Act institutes a system of rules and regulations to prevent security breaches that compromise the private medical data of individuals. Entities that come into constant contact with medical data must ensure its security and, in the event of a breach, notify the individuals affected. This law often covers mobile medical apps and devices, and requires that manufacturers and developers provide for the security of medical data processed by their products.

Learn More

To learn to speak the language of health law and distinguish your role as a leader with specialized health care compliance expertise, look to pursue a Master in Health Law and Policy from Hofstra Law.

Sources

U.S. National Library of Medicine

Deloitte Center for Health Solutions

U.S. OFFICE OF PERSONNEL MANAGEMENT

The Wall Street Journal

Los Angeles Times