Medical Device Security and the FDA

Over the past few years there have been a number of high profile data breaches, from companies like The Home Depot to Target. But it isn’t just large retailers who are vulnerable to cyber attacks.

Over the past few years there have been a number of high profile data breaches, from companies like The Home Depot to Target. But it isn’t just large retailers who are vulnerable to cyber attacks. An increasing number of industries are facing network security issues, and some of these industries would be in a much tougher spot if their information was lost or their systems were compromised.  

One such industry is health care. Unfortunately, healthcare organizations haven’t been as diligent about cybersecurity issues. Healthcare IT spending is only about one-fifth the size of comparable industries, showing a significant lack of effort and a clear need for network security improvements.

In an effort to address this issue, the U.S. Food and Drug Administration (FDA) recently issued a number of new guidelines aimed at medical device manufacturers. The hope is to help improve the security measures of these devices, in order to better protect patient information and improve treatment. Some of these new recommendations include:

• Limiting device access to trusted users through the use of authentication, such as IDs, passwords, smart cards and biometrics

• Using data encryption to ensure information is secure when transferred between devices

• Implementing features that allow for security compromises to be detected, recognized, logged, timed and acted upon

• Providing information to end users about the appropriate actions to take upon detection of a cybersecurity event

It should go without saying that protecting health information and securing medical devices is a big deal. Unlike other industries, tampering with healthcare equipment and personal health records could lead to serious risks, even death. With those dangers in mind, you’d think manufacturers would be a lot more conscious of potential threats facing their devices. However, this isn’t the case. Many medical devices aren’t designed to allow for software patches. As a result, when major threats like the recent Heartbleed or Shellshock come along, there is no way to patch up the system and prevent attacks. Not to mention, with so many devices interconnected on a single network, once one machine is compromised, others can fall victim as well. Hopefully the new FDA guidelines will encourage manufacturers to improve their devices so they can be updated in order to fight new security threats.

When these devices are compromised, it doesn’t simply mean a loss of private patient information. Yes, sensitive information falling into the wrong hands is scary, but there are even scarier outcomes. So much medical equipment is controlled by computers, meaning hackers who break into the network could alter drug infusion pumps and administer lethal doses, or control defibrillators and deliver random shocks. In addition, medical records could be altered, leading doctors to prescribe the wrong medicine or unable to access important documents during life-threatening situations.  

Another area contributing to medical network security issues is the many insecure, IP-enabled devices brought into hospitals and clinics. Bring Your Own Device (BYOD) trends aren’t specific to just one industry. Almost everyone is looking to use their phones, tablets or whatever for work. Studies show that 69 percent of hospital nurses and 80 percent of physicians are using their personal smartphones at work. That doesn’t even count all the other devices entering hospitals with patients and visitors. BYOD has many positive aspects. When healthcare professionals use devices with which they are familiar, it can help improve access to information and increase productivity. Those are incredibly important features when lives are on the line. However, these devices aren’t always secure, meaning they could be the means of data leaks and network infections. Doctors could use their tablets to store patient information, but if those devices aren’t properly protected, that information could easily fall into the wrong hands. When working to improve network security, IT professionals working in the healthcare industry will need to consider solutions capable of handling BYOD.

For the moment, the FDA recommendations are only guidelines, not regulations. Opting to follow them is only voluntary, but that shouldn’t encourage manufacturers or hospitals to take their cybersecurity lightly. With new devices come new threats, and healthcare organizations could face severe penalties if they don’t take the right steps to protect their patients and their information.

security / shutterstock