Medical Systems Hacks Are Scary, but Medical Device Hacks Could Be Even Worse
On Friday, a major cyber attack hit health systems around the world. In Britain, where the attack affected hospital IT systems, doctors were unable to access patient records. Ambulances were diverted and emergency care delayed.
Unfortunately, attacking hospital IT systems is just the tip of the iceberg when it comes to cyber vulnerabilities in the health care sector. Hacks of implanted or wearable medical devices are an even more sobering threat.
Researchers in Belgium and the UK have demonstrated that it’s possible to transmit life-threatening (if not fatal) signals to implanted medical devices such as pacemakers, defibrillators, and insulin pumps. A catheter lab in a Virginia facility was temporarily closed when malware was discovered on the computers supporting cardiac surgery. In three other similar cases, malware capable of opening up “backdoor” access to a hospital’s IT network was found in software residing on X-ray, blood gas analyzer, and communications devices. More recently, researchers investigating cybersecurity of medical devices provided the Center for Devices and Radiological Health at the Food and Drug Administration (FDA) with a list of specific medical device vulnerabilities identified through their ongoing work, and just last year two commercial vendors revealed vulnerabilities in insulin pumps and a nursing inventory supply system that could compromise care and provide covert network access.
Such devices are becoming more and more common in health care. Spurred by an aging population, increases in chronic disease, and technological breakthroughs, the electronic medical device market is poised to reach an estimated $398 billion in 2017. But while the market expands at an expected rate of 3% per year until at least 2022, hospital IT networks remain slow to address longstanding cybersecurity challenges that raise both privacy and potentially fatal health concerns. Surveys of health IT leaders reveal that much of their cybersecurity budgets will remain focused on securing enterprise networks through infrastructure, datacenter, and cloud security, while emerging government and industry regulatory frameworks provide only guidance without meaningful penalties, making it easy for health system IT leaders to deprioritize the risks presented by medical devices. Moreover, a major challenge is the continued presence in the marketplace of devices manufactured before 2014, when the FDA’s guidance was issued. (For example, in 2013, the average age of an MRI scanner in the U.S. was 11.4 years.)
There are, however, some basic steps that hospital CIOs can take to reduce their risk and protect patients, devices, networks, and data:
Read More at the Source: Medical Systems Hacks Are Scary, but Medical Device Hacks Could Be Even Worse