The Vulnerability of Medical Devices to Cybersecurity Breaches

You have likely heard of, and may well have been a victim of, a cyber security breach where sensitive, personal information was hacked from the servers of a bank, a credit bureau or even a major health care insurer. Medical devices such as pacemakers and insulin pumps are now connected to wireless networks so that they can be controlled, updated and troubleshooted remotely. We are living in a time where virtually everything is connected to “the cloud” and the Internet of Things, which was intended to add connectivity and convenience is now putting your privacy, security and health at risk and vulnerable to hackers. Hacking your personal information is one thing, but hacking your pacemaker is quite another thing entirely.

Earlier in the year, the U.S. Food and Drug Administration (FDA) required nearly 500,000 patients with pacemakers to install a software patch to protect themselves from cybersecurity vulnerabilities that had been discovered in the devices. The FDA issued an alert warning patient of the need to update their pacemaker’s firmware otherwise, the device’s vulnerabilities could allow unauthorized users to access the device. The FDA did not report any patient harm related to the cybersecurity vulnerability in the pacemakers.

An article about medical device cybersecurity mentions the documented examples of how a security expert hacked into his insulin pump at a security conference showing how the device could be remotely accessed with the ability to increase the dose of insulin, how college students hacked a pacemaker installed in a dummy patient used for medical student training and sped up its heart rate, and the FBI’s warning to hospitals to stop using a type of medication pump due to a security flaw that could allow an unauthorized user to change the dosage of the medication in the pump.

In the same way that hackers break into hospital computer networks and hold their data ransom, an unscrupulous hacker could exploit the security vulnerabilities of specific medical devices and threaten harm to extort money.

In a post on the FDA’s blog, Suzanne Schwartz discussed the effects of cyber hacks on public health:

“Global cyber-attacks in 2017, including WannaCry and Petya/NotPetya, have had a significant impact on our nation’s critical infrastructure, including the health care and public health sector. Hospitals, pharmaceutical companies, and even the Kiev airport were among organizations affected by cybercriminals who unleashed copies of the ransomware earlier this year, with demands of payment to restore access to computer networks and crucial files. Because cybersecurity threats are a constant, manufacturers, hospitals, and other facilities must work to prevent them.”

The FDA has published a fact sheet with information about its role in medical device cybersecurity.

New legislation to address cybersecurity vulnerabilities in connected medical devices

A new bill which intends to address cybersecurity vulnerabilities in medical devices was introduced in July 2017. The “Medical Device Cybersecurity Act of 2017,” would require the FDA to establish a working group of cybersecurity experts from the National Institute of Standards and Technology (NIST) which would, “. . . lead to the identification of existing and developing cybersecurity standards, guidelines, frameworks and best practices,” according to AdvaMed CEO Scott Whitaker, who is in support of the bill.

Please contact Paulson & Nace, PLLC through this contact form or by calling 202-463-1999