7 challenges medical devices pose to providers

Advanced information technologies in medical devices have transformed the healthcare industry, bringing improvements in the efficiency and effectiveness of treatment and other services. However, these advanced devices provide opportunities to cyber criminals, who have the potential to compromise data and put patient safety at risk, according to a new report from the healthcare continuous improvement unit of Underwriters Laboratory. The company assesses security concerns and strategies to help stakeholders minimize risk.

“Strengthening the security of connected medical devices against cyberattacks is a responsibility shared by all industry participants, including hospital administrators, healthcare providers, device developers and manufacturers,” UL contends. For example, device developers and manufacturers must go beyond minimum requirements to secure data by more deeply evaluating potential risks associated with their products during the product development stage and throughout the lifetime of a product’s anticipated use.

In 2016, Johnson & Johnson notified more than 100,000 users of a potential vulnerability in one of its insulin delivery systems that was vulnerable to unauthorized access that might enable a hacker to change a patient’s insulin dosage. In 2017 a WannaCry ransomware attack (which affected 200,000 computer systems) also affected a “power injector” that delivers a contrast agent to patients undergoing imaging exams to improve imaging quality. And in August 2017, the Food and Drug Administration recalled a cardiac pacemaker already in 500,000 patients in the United States because of vulnerabilities a hacker could use to modify the pacemaker programming commands.

Many legacy standalone medical devices have been adapted to work in connected environments but the devices lack security protections, so they have no defense against attacks after they are connected to the Internet or another network. “Such devices may also rely on outdated operating systems or other software that is no longer supported, or they may be connected to legacy computers that fall outside the scope of a healthcare institution’s IT policy control,” UL warns.

Software has long been incorporated into medical devices but today, a host of software applications used for medical purposes that work independently of medical devices are widely available—and vulnerable. Examples of software as a medical device include smart phone apps that enable a user to view results from a medical device for diagnostic purposes, or app-based programs used to develop a treatment plan.

A new generation of consumer-oriented wearable devices is coming into the market to track vital signs and activity, along with other health data. Wearables also are coming into the healthcare environment, which includes homes, enabling providers to monitor patients inside or outside a facility and giving more independence to those who require longer term care and monitoring.

Consequences from security vulnerabilities associated with medical devices, which today now includes consumer wearable devices, can directly affect the health and safety of patients and providers, according to UL. But even when such exposure does not lead to death or injury, cyber attacks can compromise patient information, disrupt provider operations and require substantial resources to rectify. “And for all parties involved, including healthcare providers, device developers and manufacturers, successful breaches resulting from the failure to address known risks can result in adverse market publicity and loss of brand reputation, as well as potential legal exposure.”

Outside the United States, most foreign health data security regulators have focused on cyber threats against patient information rather than threats to connected medical devices. The European Union, for instance, focuses on entities collecting the data of EU citizens. The Food and Drug Administration’s focus, in contrast, is on addressing cybersecurity issues for medical devices and the agency has issued several guidance documents.

The full report from Underwriters Laboratory is available here.