Health Care Facilities Should Address Medical Device Cybersecurity Risks
November 19, 2014
November 19, 2014
Hospitals and other health care facilities should evaluate and address the cybersecurity risks posed by medical devices. There are many medical devices connected to hospital or health care provider networks, including hard-wired devices such as patient monitors, ventilators, and imaging devices (X-ray machines and computer systems used for radiology and cardiac procedures). Many other devices are connected wirelessly to a hospital or a health care provider network. For example, a physician might use a wireless electrocardiogram to monitor data from a patient: The device uses hardware and software connected to a network to transmit data.
Connecting medical devices to an information technology (IT) network makes the network vulnerable to intended and unintended threats. There have been several media reports about cybersecurity incidents. The Department of Homeland Security reported that 300 medical devices used by doctors to view MRIs from a single manufacturer were infected with the Conficker Worm. The computers were older and did not have updated antivirus software and became infected with the Conficker Worm when they were connected to the Internet. The Wall Street Journal reported that the Food and Drug Administration (FDA) is aware of “hundreds” of medical devices that have been infected by malware or dangerous computer software. Further, the article stated that malware has infected at least 327 devices at Veterans Administration hospitals. Finally, there is the possibility of an intentional attack on a medical device. Reuters reported that a cybersecurity researcher discovered a bug in an insulin pump and wrote a program that could remotely dose patients with potentially lethal amounts of insulin.
Due to the growing use of medical devices connected to hospital and health care provider networks, the FDA has issued guidance to medical device manufacturers for premarket submissions for management of cybersecurity in medical devices, most recently in November 2014. The agency’s guidance to medical device manufacturers recognizes that medical device security is a shared responsibility between stakeholders, including health care facilities. Thus, hospitals and health care facilities should take steps to combat cybersecurity threats.