Medical Device Flaws Shine Light On Security And IoT Issues

How An Organization Should Develop Devices With Security In Mind

Steven Lerner

Most advanced medical devices operate just like computer systems, which includes equipment that can communicate with a medical intuitions’ IT network. This technology helps medical professionals make more accurate and safer health decisions for patients. Just like computer systems, medical devices are vulnerable to security breaches. In August at the Black Hat security conference in Las Vegas, researchers uncovered vulnerabilities in heart monitoring devices by Medtronic, and insisted that hackers could remotely install malware.

Medical devices, similar to any Internet of Things (IoT) solution, can be exploited when security is not updated or when an organization fails to consider potential breaches during the development process. As more medical facilities embrace these devices, which are used to treat patients and improve health care, they are becoming increasingly connected to networks and are more likely to encounter cyber security issues. When a breach on a medical device occurs, a patient’s life could be at risk.

“Health care facilities face the challenge of weighing out the cost of replacing medical devices versus the possibility of potential cybersecurity threats, safety, and device effectiveness,” said Rizwan Jan, Chief Information Security Officer for the Henry M. Jackson Foundation of Advancements In Military Medicine. “Mitigating information security risks can be challenging as they require a contributing balance to protect safety and secure device development from both the manufacturer and health care facilities to manage the risks of devices.”

The Role Of The U.S. Food And Drug Administration (FDA)

Although Original Equipment Manufacturers (OEM) are developing new medical technologies with improved security features, there are many older devices with security vulnerabilities still in use. The FDA works with other federal government agencies, such as the U.S. Department of Homeland Security, and with medical device OEMs to ensure that basic security measures are upheld.

“While the FDA provides recommended guidelines to mitigating and managing security threats, they allow medical devices to be distributed when there is a reasonable assurance that the benefits of the device to patients outweigh the risks,” said Jan. “There is a lack of understanding of the potential risks to patients or users and the results that could occur due to a failure.”

See Related: Fast Facts: Device Security In Healthcare Nearly Non-Existent

Part of the problem is that the FDA does not conduct premarket testing of medical devices, which means that the OEM has to handle this responsibility. However, there is a lack of regulations regarding security updates for medical devices, and it is unclear if the OEM is responsible for providing them. There is also some ambiguity about whether a third party has the proper tools to service and repair these advanced medical devices.

Steps Organizations Should Take To Enhance Medical Device Security

In an effort to encourage more security measures, the Medical Device Innovation Consortium (MDIC) released a report in October 2018 calling for the adoption of coordinated vulnerability disclosure (CVD) guidelines by manufacturers.

“This report encourages companies to leverage the benefits of a defined disclosure process as we work with critical stakeholders to advance medical device product security,” said Randy Schiestl, vice president of R&D at Boston Scientific Corporation and member of MDIC’s Board of Directors.

Meanwhile, health care organizations should gain an understanding of the risks associated with the collection and storage of data on devices. The FDA should increase awareness about the potential breaches due to the increasing number of IoT devices.

“It is imperative that organizations have a clear picture of their assets, the risks associated with those assets, and apply risk-assessment methodologies consistently across the organization,” said Jan.

Enterprises outside of the medical industry should use this story as a cautionary example of potential security beaches with IoT. It is imperative that all organizations, regardless of industry, consider security vulnerabilities while developing devices.