We recently looked at medical device security and how MSPs can work in the market. As the IoT grows to include more and more of peoples’ daily lives, it is becoming more important to place some focus on this topic.
Healthcare IT News summed it up this way in an article earlier this year:
“The threat to medical devices is real and happening now – and it’s a patient safety issue, much more than one of HIPAA compliance.”
Much of the danger lies in hospitals. Most of them are still using outdated legacy systems that are not designed to stand up against modern-day cyber threats. The other danger lies in newer devices that don’t have the dual functionality to meet both patient and cybersecurity needs.
Add to those factors a lax regulatory environment on the security side and you have a potential security threat. The security issues are bad for patients, but good for MSPs that might be able to offer solutions to these vulnerabilities.
A matter of life and death
This past week had a parade of medical device recalls. For example, the Food and Drug Administration has announced a “voluntary recall” by Medtronic of certain internet-connected programmers for implantable cardiac devices due to cybersecurity vulnerabilities.
This week, we spoke with Dr. Nick Jennings, an expert on medical device security. Dr. Jennings is vice-provost of Imperial College in London and served as the United Kingdom’s Chief Scientific Advisor for National Security from 2010-16. He also oversaw the research and release of an in-depth report about medical device connectivity and its benefits and dangers earlier this year. That full report is available here. Dr. Jennings talked to SmarterMSP about the report and medical security in general.
One of the questions we asked Dr. Jennings, was, what unique challenges are inherent to medical devices that are different from, say, the local accounting office or the bank. The most significant difference is clear: The smooth running of the electronic devices can literally be a matter of life and death.
A cyber-attack on a connected medical device, which may be an implantable or non-implantable device, could result in severe consequences in relation to patient safety, and it could even be life-threatening.
“A cyber-attack on a connected medical device, which may be an implantable or non-implantable device, could result in severe consequences in relation to patient safety, or it could even be life-threatening,” Jennings said.The impacts of a cyber-attack on a medical device can range from a mild inconvenience — if it’s a simple wellness device — to potential death, if it is a critical life support system. Jennings explained that unsecured connectivity could also serve as a portal for bad actors to cause more substantial problems to the health system, which could result in disruption to the delivery of care and risks to the integrity of patient data.
A terrorism target?
There’s more concern around connected medical devices than there have been actual attacks, to date. There are more security vulnerabilities found than have been exploited, yet. However, Jennings says, attacks are theoretically possible, and the risk will grow. According to Jennings, the risk of such an attack gets bigger as medical devices and equipment are increasingly connected to the internet or networked in some other way and with the growth in consumer, wearable, and mobile technologies.
The integration of external IT systems used by healthcare providers is becoming more integrated with clinical engineering functions and suppliers.
“In the case of a pacemaker with Bluetooth connectivity, an attack is possible, but the attacker would have to be in fairly close proximity to the patient, given the Bluetooth range,” Jennings shares.
What can be done to secure these devices?
There needs to be a coordinated, united effort by many stakeholders to secure medical devices. Jennings illustrated this with a few examples:
– Healthcare providers need to be more aware of the vulnerabilities that exist in products provided by their supply chain, and to demand secure products. This will provide a greater incentive for manufacturers to produce secure devices.
Medical device regulation needs to take security as well as safety into account. There needs to be better cybersecurity risk management frameworks suitable for the health sector, and better clarification of roles and responsibilities around cybersecurity in health provider governance.
– Manufacturers need to create devices that are ‘secure by design’. The U.K. government has set out a code of conduct for device manufacturers of IoT devices — many of these principles apply to manufacturers of medical devices. The United States and other countries lack some of the same stringent standards.
Once these standards have been established, this will create a more secure environment for patients and members in the healthcare field.
Again, the vulnerabilities are there, and it’s only a matter of time before we start to see them exploited more frequently. This is an issue SmarterMSP will continue to follow, along with the associated potential opportunities that come with it for MSPs.
Photo: Khakimullin Aleksandr / Shutterstock.