A Complete Guide to Cybersecurity for Medical Devices

cybersecurity for medical devices

The topic of cybersecurity for medical devices made national headlines recently because of a new initiative by the U.S. Food and Drug Administration (FDA) to enhance medical device cybersecurity across the board.  

As part of the $1.7 trillion federal omnibus spending bill signed in November, and under FDA guidance, all new medical device applicants must submit a formal plan to “monitor, identify, and address” cybersecurity risks. In addition, medical device manufacturers will need to make security updates and patches available, both routinely and in emergencies. They will need to provide “a software bill of materials” (such as open-source or other software that the devices use) under FDA guidance.  

The new FDA guidance establishes better protection for hospitals, doctors, and patients. Still, it’s a problem that requires vigilance from all parties involved –especially the healthcare facilities that use these devices on a regular basis. Our medical device cybersecurity company in Dallas is here to share with you a complete guide on all aspects of IT services for healthcare.  

What are the Cybersecurity Challenges of Medical Devices?
Why are Cybersecurity Risks for Medical Devices So High?
What Types of Medical Devices Have Cybersecurity Vulnerabilities?
What are the Regulations and Standards of Cybersecurity for Medical Devices?
How Can Healthcare Organizations Enhance Cybersecurity in Medical Devices?
The Best Way to Ensure Effective Medical Device Cybersecurity is to Have a Partner

The Importance of Cybersecurity for Medical Devices  

A 2022 report by the FBI discovered that 53% of digital medical devices and other internet-connected devices in hospitals had known critical security vulnerabilities, including a wide array of medical devices. 

Insulin pumps, intracardiac defibrillators, mobile cardiac telemetry, and pacemakers all have security risks. Therefore, healthcare organizations need to be aware of the dangers and have risk management measures in place to protect their sensitive patient data.  

There are many connected devices in a healthcare environment. These include multiple third-party software and medical devices and maintaining data integrity is imperative for healthcare organizations. 

This is essential to understand the fundamentals of medical device cybersecurity when it comes to connected medical devices that your healthcare providers use every day.  

From current medical device regulations that enhance patient safety to the best practices for connected devices, here are the basic medical device security guidelines that industry stakeholders should know to mitigate security risks. 

medical device defibrillator

What are the Cybersecurity Challenges of Medical Devices?  

With rapid technological advancements, the Coronavirus pandemic is transforming cyber health care. Today, networked medical devices are commonplace. Therefore, they are used in a digital health world where there are thousands of connected devices in a lone hospital or healthcare organization setting. 

Medical device software and tools are used at a healthcare facility to be sure, to collect patient data, run tests and diagnoses, and administer treatment as needed. However, in our modern era, patients also use distributed medical devices at home.  

This scenario can promote patient safety at the hospital and home, but it comes with inherent cybersecurity vulnerabilities. 

patients with doctor online

Cybersecurity Challenges for Medical Devices

There have been multiple studies that have dug into the cybersecurity risks of medical device software and medical devices, and the findings are troubling. 

  • A 2018 report from the US Department of Health and Human Services Office of the Inspector General said the FDA was not adequately protecting devices from getting hacked. Furthermore, it led to the recent 2022 push to enhance cybersecurity in medical devices. 
  • In 2021, a group of researchers investigating medical device software found more than a dozen vulnerabilities that, if exploited, could cause critical equipment like patient monitors to crash. In addition, the researchers found that more than 4,000 devices made by a range of vendors in the healthcare, government, and retail sectors were running the vulnerable software. As a result, it enhances the cybersecurity risk to critical levels. 
  • In March 2022, Palo Alto Networks and its Unit 42 Threat Intelligence team discovered that as many as 75% of infusion pumps connected to hospital networks may be vulnerable to digital attacks. Additionally, this is potentially affecting patient safety or exposing private data. The team used crowdsourced data from scans of more than 200,000 smart infusion pumps. Surprisingly, it was discovered that three out of four devices had known security gaps. 
  • According to the 2022 Cost of a Data Breach report by IBM, the cost of a breach in the healthcare industry has increased by 42% since 2020.
    The average total cost of a data breach in the healthcare industry is $10.1 million, which makes the healthcare industry the highest average data breach cost of any industry for the 12th year in a row.  
  • In its Medical Device Safety Plan, the FDA stated that they oversee more than 190,000 different devices, which are manufactured by more than 18,000 firms in more than 21,000 medical device facilities worldwide. While the medical device regulations apply to all of these devices, the scope of devices that the FDA has to monitor is simply too large to effectively enact cybersecurity controls across the board.  

doctors talking about medical devices

Why are Cybersecurity Risks for Medical Devices So High? 

Medical devices (and healthcare facilities) are some of the world’s biggest and most popular targets for cyberattacks.   

Connected devices store some of the most valuable information for bad actors, including patient information, credit cards, social security numbers, birth dates, and more.  

In addition, because there are so many connected devices that transmit patient data, finding a weak link can be a relatively simple process. There is always a vulnerable point in a healthcare organization’s security architecture and/or network security where these cybersecurity issues can flourish. 

The end result can be a devastating data breach for healthcare facilities. However, more importantly, it can cause huge patient safety risks. For example, in 2018, a team of hackers demonstrated that they could remotely manipulate a widely used pacemaker, causing the medical device manufacturer to temporarily shut down in order to protect its vast network of medical device users.  

What Types of Medical Devices Have Cybersecurity Vulnerabilities? 

The simple answer to this question is that all connected medical devices in a healthcare setting can have cybersecurity vulnerabilities. Additionally, some networked medical devices have a higher risk to patient safety than others. 

Medical devices with enhanced security vulnerabilities include the following: 

Pacemakers and Heart Rate Monitors 

Pacemakers and heart rate monitors are medical devices that can be easy to hack, particularly when an attacker is in close range. According to a 2021 summary from the DHS, “an attacker with adjacent short-range access to an affected product, in situations where the product’s radio is turned on, can inject, replay, modify, and/or intercept data within the telemetry communication.” 

MRI Devices 

MRI devices are deeply connected medical devices that are integrated into an entire hospital network.   In 2018, a group called Orangeworm hacked into X-ray and MRI machines in America, Europe, and Asia discovered that they could sabotage the MRIs, as well as the broader healthcare facility.  

Wearable Health Devices 

Wearable medical devices that patients use constantly and at home are becoming more popular, and as such, the associated cybersecurity risks are climbing. Medical device security is especially imperative for these devices simply because they contain sensitive data, and a data breach can have an impact on patient safety.  

Hearing Aids, Insulin pumps, and other Common Devices 

Any medical device that stores data, and is connected to the internet, can be a breeding ground for cybersecurity issues. With thousands of medical devices in a hospital setting (as well as at patients’ homes), it’s safe to assume that medical device cybersecurity is a broad issue that requires a security risk management process by all stakeholders – from medical device manufacturers to healthcare providers.  

MRI machine

What are the Regulations and Standards of Cybersecurity for Medical Devices 

There are several guidelines provided by FDA, the NIST cybersecurity framework, HIPAA, and more cybersecurity and government agencies that lay the groundwork for medical device security. 

The recent FDA guidance that became effective in 2023 could arguably be called the new gold standard for medical device manufacturers. This is because it’s now a mandatory policy for the production of any new medical device.  Since 2005, the FDA has been striving to enhance medical device cybersecurity across the board, and the more recent versions of the FDA draft guidance cover the total device lifecycle.   

While previous versions of the FDA’s draft guidance and associated guidance documents filled in noticeable gaps for medical device cybersecurity, newly revised guidance documents cover more and more specifics when it comes to device requirements. 

doctor checking for software updates

FDA Guidance Regarding Cybersecurity for Medical Devices

The most recent FDA guidance document includes the following guidelines for medical device manufacturers. This is formally known as the Protecting and Transforming Cyber Healthcare (Patch) Act, which was passed as part of the omnibus spending package in December 2022.  

  • The sponsor of an application or submission for a medical device shall submit to the FDA Secretary a plan to monitor, identify, and address postmarket cybersecurity vulnerabilities and exploits, including coordinated vulnerability disclosure and related procedures.  
  • The sponsor of an application or submission for a medical device will design, develop, and maintain processes and procedures to provide a reasonable assurance that the device and related systems are cyber secure. 
  • The medical device sponsor or applicant will make  postmarket updates and patches to the device and related systems available to address known postmarket cybersecurity vulnerabilities and/or critical vulnerabilities that could cause uncontrolled risks. 
  • The medical device sponsor or applicant will provide the FDA Secretary with a software bill of materials, including commercial, open-source, and off-the-shelf software components. 
  • The medical device sponsor or applicant must comply with such other requirements as the FDA Secretary may require through regulation to demonstrate reasonable assurance that the device and related systems are cyber secure. This may include post market surveillance and other security risk management measures for the duration of a device’s lifecycle. 

Medical device security leaders are thankful for the security requirements in the new FDA guidance. However, these guidance documents alone can’t possibly ensure total and complete medical device security. The same 2022 FBI report found that most medical devices have a lifecycle of 10-30 years. Without routine asset management by a healthcare facility, many of these medical device manufacturer updates and patches may go unnoticed.  

How Can Healthcare Organizations Enhance Cybersecurity in Medical Devices? 

Medical device manufacturers may be working behind the scenes to address risk management (thanks to the new FDA security requirements). However, healthcare organizations are at the frontlines of medical device security. 

As such, it’s essential to have a far-reaching risk management strategy and medical device cybersecurity as an essential component of your facility’s security architecture. 

There are steps that healthcare facilities can take to mitigate cybersecurity risks and address cybersecurity threats before they become a larger, detrimental problem. To better manage cybersecurity risks, healthcare providers will want to adopt the following security requirements in their own risk management policies. 

Routinely Monitor and Update all Networked Medical Devices 

Often, updates, patches, and fixes are available for any potential cybersecurity threats that can impact the medical devices you use every day. Monitor these medical device updates regularly and review the device requirements highlighting best use practices.  

Keep an eye on data breaches in the healthcare industry. Sometimes, medical device manufacturers have to recall or update products to ensure patient safety. Stay up to date on any new cybersecurity vulnerability that has been identified in your medical devices and proceed accordingly.  

Have a Plan for Managing Cybersecurity Throughout Your Healthcare Organization 

 Healthcare organizations often do not address cybersecurity risks until it’s too late, and a small issue has turned into a large and noticeable problem. Create a security risk management plan that outlines the updates, scans, and routine checks that are part of your everyday medical device security measures. 

Train Your Team and Your Patients 

One of the most common ways cybercriminals can access a medical device is via a single employee, patient, or other device user. Make sure everyone who is connected to your healthcare facility’s medical devices understands the fundamentals of mitigating their cybersecurity risks.  

This includes important procedures like creating impossible-to-guess passwords, not sharing sensitive information, and knowing how to identify common phishing schemes.  

medical equipment cybersecurity

The Best Way to Ensure Effective Medical Device Cybersecurity is to Have a Partner 

Even the largest hospitals and healthcare facilities, with talented and extensive IT teams handling security risk management, can’t do it all. With thousands of medical devices used on a daily basis, being able to routinely monitor and identify cybersecurity risks is an impossible task. Remember, it just takes one medical device to lead to a facility-wide problem. 

This is why you need our healthcare cybersecurity experts in Dallas at your side. We fully understand the changing cybersecurity regulations and FDA security requirements, as well as the gaps in medical device cybersecurity that need to be covered. Our security risk management services include regular device monitoring throughout your facility to ensure that every aspect of your operations is protected. 

We can start by conducting a healthcare cyber risk assessment to identify the potential threats that are already present in your operations. Additionally, we can even help your healthcare providers and security leaders develop a detailed cybersecurity policy plan to guide you well into the future.  

Managing cybersecurity is a full-time job, but you don’t have to tackle security risk management on your own. We understand how valuable patient safety is to your healthcare organization, and we can help pave the way for better medical device cybersecurity in the long term. 

Let’s start a conversation about your medical device security risk management and how we can ensure that all of your medical devices are protected when it comes to cybersecurity.  

Reach out to our team at Emeritus today