Technology is a double-edged sword. It helps automate many aspects of healthcare, making it easier to share information. As more of the healthcare world becomes outsourced to third-party providers, the need to share this information continues to grow.
But as seamless as the integration can make patient care, it also opens the door to the risk of malicious activity. Healthcare data, which often includes personal identifiers like social security numbers and credit card numbers, carry real value on the black market. And in some cases, medical devices provide an easy entry point for hackers to steal this information.
What is a Medical Device?
A medical device is any type of diagnostic or medical intervention device. Some devices are external tools like glucose meters and pulse-oximeters. Other devices are implantable. An implantable medical device, like a pacemaker, is surgically placed inside the body.
Some medical devices store and transmit personal information. This information is intended to help clinicians provide better patient care. But an unintended side effect of enabling access to information also makes sensitive data available to malicious sources that may attempt to use the data for financial extortion.
Medical Device Security
To address those risks, medical device cybersecurity has become a growing concern in the healthcare technology space. While security risks might be inherent to the design of some devices, the majority of risk comes from outdated apps and weak encryption passwords.
The majority of healthcare workers have expertise in healthcare and not technology, so the individuals using these devices also contribute to security risks simply by how they handle the device information. Here are some tips for how healthcare organizations can better manage device security:
- Designate a security officer within the organization that is responsible for communicating with peers on technology issues.
- Conduct annual cybersecurity training with all employees who access network resources.
- Implement the use of cybersecurity software.
- Establish processes to make sure that all network resources receive regular updates.
- Appropriate encryption methods should be used when transmitting data, including the enforcement of proper password measures.
- Sign up for updates from your tech manufacturers so you never miss an update or new release.
Alternova understands the importance of developing secure, valuable technologies to improve patient care in the medical industry. From conception to deployment, we are a committed partner every step of the way. We would love to discuss your next project. Contact us today!
Cybersecurity Challenges for Medical Devices
Medical information is ranked as the single most valuable type of information on the black market. This means that there is no shortage of hackers attempting to obtain it. At the very least, they can sell the data and make a quick buck. However, the more likely target of a healthcare data breach is extortion of a significant dollar payout from an institution like a hospital. In February of 2020, there were 39 healthcare data breaches in a single month. And this was a typical month.
Medical devices provide an easy target for hackers because they are mass-produced, meaning they all have the same technology. Once a hacker figures out how to get in, they can access millions of similar devices with data ripe for the picking.
So the devices are often easy to access and full of valuable data, which provides plenty of motivation. Add to that scenario that the patients and clinicians who handle these devices often have limited knowledge about cybersecurity.
While the actions are often unintentional, a lack of user knowledge creates another exposure to the medical data transmitted by these devices. Keeping everyone up to date on developments in cybersecurity that involve the software and appliances in your facility is a big undertaking.
Managing Cybersecurity Risks
Did you know that hospitals account for 30% of all data breaches? The healthcare industry is a big target costing nearly $6 Trillion dollars. Some medical devices pose significant risks to personal data. While it is unlikely that a substantial breach will come from checking oxygen levels with a wearable medical device, more sophisticated technology poses a more significant risk.
For example, in 2017, St Jude’s Hospital admitted security vulnerabilities associated with cardiac devices. A watchdog report released by another company exposed vulnerabilities in pacemakers that were developed with universal code. It was suggested in the report that this code could easily be hacked to interfere with devices and put patient lives at risk. Following that disclosure and subsequent admission by St Judes Hospital, the security concern was mitigated with a patch release.
But who is responsible when it comes to managing cybersecurity risks in medical devices? The device manufacturer bears the brunt of the responsibility for managing cybersecurity risks. However, the facilities that use the devices are equally responsible for managing updates and patches for any devices in use.
FDA Cybersecurity Guidelines
The Food and Drug Administration (FDA) oversees medical devices. While the FDA has historically investigated devices for suspicions of defect or death, they are becoming increasingly concerned with the cybersecurity of medical data as it is passed through these devices.
FDA guidance for medical device cybersecurity includes:
- Restriction of unauthorized device access.
- Updating firewalls.
- Monitoring network activity and identifying unauthorized use.
- Disabling unnecessary ports, features, and services.
Technology is revolutionizing patient care, providing more real-time access to diagnostic data for timely diagnosis and treatment of conditions. By all accounts — healthcare technology is helping save lives. But the tradeoff is a new risk to personal data. Medical devices may transmit personal data and, in some cases, maybe connected to networks that contain lots of personal data. Hackers have found medical devices to provide easy access points to healthcare data mines, and exploiting their weaknesses is reasonably straightforward. The healthcare industry will have to take a firmer stance on cybersecurity measures to protect patient data.
Alternova specializes in developing technology for the healthcare industry. If you are looking to build a healthcare app or fix failing technology, we can help. Contact us today to learn more!