Who's Worried About Medical Devices Being Hacked?

December 1, 2014

The cybersecurity of medical devices is on the mind of the FDA, which recently issued recommendations for security on wireless medical devices.

There is probably one in your pocket or bag, and perhaps another on your desk. Wireless devices are everywhere, and their use in healthcare is becoming more prevalent: wireless defibrillators, insulin pumps, camera pills, and pacemakers are already in use, and birth control and fertility monitors might not be far off. But there's a problem: wireless devices are especially susceptible to hacking and viruses. Getting a virus on a personal smartphone or computer is serious, but the ramifications of medical devices being compromised could be devastating or even fatal.

Medical devices that are interconnected can improve patient care, but they do come with a certain amount of risk. Even when precautions are taken, there is no guarantee that any device is going to be completely immune to potential security breaches. The risks can include outdated software, compromised passwords, infection with malware, and software security gaps. With smaller or portable devices, there is a possibility for the device to become physically lost or even stolen. A malfunctioning wearable or implanted device – whether accidental or intentional -- could have serious consequences for a patient. 

The FDA is aware of the potential risks with medical devices and has issued recommendations, entitled “Content of Premarket Submissions for Management of Cybersecurity in Medical Devices." There have been no specific threats or concerns, nor have there been any incidents of patients reporting harm, but the FDA has determined that there is a need to develop an interdisciplinary panel of stakeholders, such as device manufacturers, hospitals, and cybersecurity professionals.

The FDA has made some recommendations on security for wireless medical devices. They ask that engineers start by designing their medical devices with cybersecurity concerns in mind, such as how to protect core functionality in the case of a security breach. The guidelines go on to ask manufacturers to submit potential security risks, as well as any recommendations or plans on how to mitigate them, to the FDA.

End users should also be given written instructions on how to manage potential security breaches. Devices should be secure, yet the safety measures should not be an impediment to their use by patients or practitioners. Other recommended safeguards include: secure data transfer, strong password protection, physical locks, and user authentication prior to software or firmware updates.

What are your thoughts?