What is Networked Medical Device Cybersecurity?
The Internet of Things (IoT) is the interconnection and communication between internet-enabled physical devices. The growth of such devices has been explosive, as smart devices such as wearables, sensors, phones, cars, appliances, and household gadgets are becoming increasingly prevalent in more and more aspects of daily living. The proliferation of these devices has outpaced the security science, leaving many vulnerable to threats and attacks. This is especially concerning when it comes to networked medical devices that perform a variety of critical and sensitive tasks. Examples of networked medical devices include devices that can be worn, embedded, or are stationary, and can include examples such as hospital imaging equipment, pacemakers, infusion pumps, consumer health wearables, chemotherapy dispensing stations, ventilators, scanners, and blood gas analyzers. Of these, it is most alarming to think of embedded medical devices being attacked, but this is far less likely to happen than attacks on stationary medical devices. Cyberattackers are largely motivated by prospects of financial gain, and medical data such as insurance information and social security numbers can be far more valuable than other types of data such as credit card numbers.
The following are examples of issues that leave networked medical devices vulnerable to cybersecurity threats:
Outdated devices. Medical device manufacturers do not routinely patch or update software, and if they do, they may rely on organizations to perform the updates. Healthcare organizations tend to use each medical device for more than 20 years, increasing their vulnerability.1 Outdated operating systems and software are also security vulnerabilities, and they are likely to no longer be supported by the manufacturer.
Inadequate medical materials management. Healthcare organizations have an average of 10-15 medical devices per bed, and thousands per healthcare organization. As many of these devices are portable, it is difficult to inventory, manage, and maintain these medical devices.
Unprotected communication and weak passwords. With so many networked medical devices to manage, overburdened staff may choose weak passwords or insecure login methods in order to expedite their access to devices. This makes it easier for cyberattackers to gain unauthorized access to the devices and network.
The FDA suggests that medical device manufacturers and healthcare delivery organizations take the following steps to ensure appropriate safeguards are in place to mitigate cybersecurity risks in medical devices2:
- Medical device manufacturers (MDMs) are responsible for remaining vigilant about identifying risks and hazards associated with their medical devices, including risks related to cybersecurity.
- Health care delivery organizations (HDOs) should evaluate their network security and protect their hospital systems.
- Both MDMs and HDOs are responsible for putting appropriate mitigations in place to address patient safety risks and ensure proper device performance.
1 McKeon, 2021, “3 Barriers to Achieving Medical Device Security”
2 FDA Digital Health Center of Excellence, 2022, “Cybersecurity”