By Rebecca Vesely
The premier hacking conference DEF CON this summer will, for the first time, include a hackathon of medical devices. It is a sign of the significant growth in the use of connected medical devices and their vulnerability to threat actors and other intruders.
So for journalists covering hospitals, clinics, health systems and home health, it is worth keeping an eye on the security aspect of medical devices. While the security of computer systems and electronic medical records has drawn increasing media coverage, medical device security has not.
As hospitals introduce new medical devices and allow clinicians and other staff to use personal devices such as smartphones on their premises, questions about security can be overlooked. A big reason for this may be that typically no one is officially in charge of medical device security. HIPAA, for instance, focuses on patient privacy, not security. The U.S. Food and Drug Administration has issued recommendations on the security of medical devices but doesn’t conduct cybersecurity tests before approving devices for commercial use.
Device manufacturers are responsible for identifying risks and putting safeguards in place, but experts say there is wide variation among vendors.
Moreover, the scope of the issue continues to grow as medical devices expand outward from hospital units to outpatient clinics and into patient homes for remote monitoring. Implantable devices also are vulnerable to tampering. Malware already has been found residing in computers supporting cardiac surgery.
The Internet of Things (IoT) era has begun in earnest.
“The perimeter as we know it has melted down,” said Chris Richter, senior vice president of global security services for Level 3 Communications, a global network services company. “Malware can attach itself to almost anything.”
Cybersecurity is a $5.5 billion industry, and yet little of that money is spent on medical device security, according to Will Parkenson, global director of life sciences and healthcare at Unisys, a global manufacturer.
In May 2017, the FDA held a public workshop on medical device security. The agency plans to publish a report based on the workshop’s discussions at the end of 2017.
Hospitals can make medical devices up to 70 percent safer, said Kevin McDonald, director of clinical information security at the Mayo Clinic at the FDA workshop, according to news reports. Cybersecurity experts at the HIMSS Privacy and Security Forum in San Francisco earlier this month, also agreed that hospitals could do more to protect medical devices from security threats.
As medical devices move into people’s homes, patients could become more vulnerable to cybersecurity threats. Here are some questions journalists can ask health facilities on their beats about the security of medical devices:
- How often are passwords changed on connected medical devices and what is the password strength?
- How widespread is the use of two-factor authentication?
- How are medical devices assessed for security before being approved for purchase?
- When new devices are introduced, what device risk assessments are conducted?
- How often are long-term devices subject to follow-up security testing?
- What governance steps have been taken to focus on medical device security?
- What is the accuracy of device inventories and are records being kept on total devices in the hospital and out in the community?
- What are the security requirements for the smartphones of clinicians and other staff? Is there tracking on how these devices may interact with medical devices?
- Is whitelisting being used to control application executions?
Rebecca Vesely is AHCJ’s health information technology topic leader. She started writing about health IT in the late 1990s as a reporter and then Washington bureau chief for Wired News. Since then, she has covered health care as a staff reporter for the Oakland Tribune, the Bay Area News Group and Modern Healthcare magazine.
