The Food and Drug Administration (FDA) and medical device makers are expecting more hacking attacks, according to an in-depth piece published by The Hill.Tens of millions of electronic health records have been compromised in recent years, with hospitals and health insurers hit by hackers. Now attention is turning to vulnerabilities in medical devices like pacemakers and insulin pumps that could make them susceptible to hacking.
The FDA is coordinating with other agencies on how to respond if a medical device hack were to occur.
“This is what we said to manufacturers; one should consider the environment a hostile environment, there are constant attempts at intrusion … and they have to be hardened,” said Suzanne Schwartz, associate director for science and strategic partnerships at the FDA’s Center for Devices and Radiological Health.
In 2016, healthcare brand Johnson & Johnson told its customers that its insulin pumps had a security vulnerability that hackers could potentially use to access the device, which has a wireless controller, and cause a potentially fatal overdose of insulin. Wireless connection can be an easy access point for hackers.
However, so far there have been no known cases of medical-device hacking causing patient harm, according to Zach Rothstein, associate vice president at the Advanced Medical Technology Association.
Hackers can tap into a hospital, through an unsecured wireless printer, for example, and access the entire system, or take over a hospital’s electronic records or lock them out of their website until a ransom is paid.
“In just the last few years […] we’ve seen more than a hundred million health records of American citizens breached in a couple of well-publicised incidents,” Terry Rice, vice president of IT risk management and chief information security officer at Merck & Company, told the Energy and Commerce Oversight and Investigations Subcommittee recently.
Rice, who sits on the Healthcare Industry Cybsecurity Task Force, believes the cybersecurity problem is “significantly underreported” in the healthcare industry.
He also said organisations are unlikely to report security incidents if not required to do so because of the potential reputational harm that might occur.
The FDA says in its premarket guidance that it recognises that medical device security is a shared responsibility between stakeholders, including healthcare facilities, patients, providers, and manufacturers of medical devices.
FDA guidance on medical devices also says manufacturers have an obligation to consider the cybersecurity of their devices during design and throughout the operating life of that device, potentially providing the basis for someone to allege that manufacturers have a duty to do more to secure devices.
Information sharing can protect against hacking attempts. Healthcare providers, manufacturers and others are part of a group that update their defences against common threats, while congress and the industry both promote healthcare information sharing, to get it up to par with other industries, such as financial services.
“The problem is aggravated by the very low level of cybersecurity at hospitals in general – lack of segregation and access rights, missing security patches and updates, missing or weak encryption, insecure authentication, default or weak passwords.” Ilia Kolochenko, CEO, High-Tech Bridge
Both the FDA and industry are hiring cybersecurity experts, with many companies also using “coordinated disclosure” where researchers or “white hat” hackers can report vulnerabilities directly to the company instead of making them public.
“The medical device industry, I would say in the last two-and-a-half years or so, has gone from general understanding of the issue, general participation to extreme awareness and participation in cybersecurity efforts,” Rothstein said.
Ilia Kolochenko, CEO of web security company High-Tech Bridge says that ransomware, has not historically target hospitals and insurance firms, though he concedes that targeted attacks against healthcare institutions may increase in the near future as the victims usually have no other choice but to pay without a delay.
The vulnerability of connected medical devices to hacking depends on various factors. Such devices are usually made without any precaution in terms of information security but the hacker usually has to be near the device or at least inside of the hospital wireless network. However Kolochenko agrees these types of hacks could increase.
He adds: “The problem is aggravated by the very low level of cybersecurity at hospitals in general – lack of segregation and access rights, missing security patches and updates, missing or weak encryption, insecure authentication, default or weak passwords.
“Connected medical devices should be strictly and severely regulated by governments, and their manufacturers should bear the liability for any negligence or carelessness during the manufacturing process – otherwise medicine will become an extremely dangerous activity within the next decade.”
