If a device – any device – is connected to the Internet, it can be hacked.
That is essentially the message that the Food and Drug Administration (FDA) released to hospitals, medical-device manufacturers, and anyone who works in the health-related technologies. The warning said:
Many medical devices contain configurable embedded computer systems that can be vulnerable to cybersecurity breaches. In addition, as medical devices are increasingly interconnected, via the Internet, hospital networks, other medical device, and smartphones, there is an increased risk of cybersecurity breaches, which could affect how a medical device operates.
The alert also listed a number of ways the health industry and medical devices could be attacked.
According to The Economist, more than half of all medical devices sold in the United States rely on software. The article pointed out how three decades ago, a simple bug in the software of a radiotherapy machine resulted in the machine shooting overdoses of radiation into patients, killing nearly a half dozen. Imagine what would happen if someone hacked into a medical device. It is literally life or death cybersecurity.
The FDA alert is a warning of what could happen, not what is happening. As far as we know, there have been no reported malicious attempts against any devices, either in use or in the manufacturing stage. But anyone who understands cybersecurity realizes that just because it hasn’t happened yet doesn’t mean it can’t. Kudos to the FDA for putting the word out proactively and raising awareness of the potential risks. Because of the immense amount of personal data held within the health industry’s databases, there is already awareness regarding data breaches into patient records – and there have been problems for some hospitals and insurance companies when it comes to protecting that data – so providing cybersecurity for medical devices should be the logical next step. I hope the health industry takes heed of the FDA’s alert.
But it is equally important for security to be promoted on the manufacturing side, before the device ever leaves the factory. The FDA recognized that, stating:
The FDA expects medical device manufacturers to take appropriate steps to limit the opportunities for unauthorized access to medical devices. Specifically, we recommend that manufacturers review their cybersecurity practices and policies to assure that appropriate safeguards are in place to prevent unauthorized access or modification to their medical devices or compromise of the security of the hospital network that may be connected to the device. The extent to which security controls are needed will depend on the medical device, its environment of use, the type and probability of the risks to which it is exposed, and the probable risks to patients from a security breach.
It is so easy to disregard the importance of cybersecurity. We see it on so many levels – why else is the human risk factor so high? However, when cybersecurity literally hits the heart, perhaps then more will take the threats seriously.