Stay ahead of developments in federal and state health care law, regulation and transactions with timely, expert news and analysis.
By James Swann
Newly discovered vulnerabilities are opening up hospital medical devices to attacks from hackers that could harm patient safety and damage credibility.
Device makers are relying on information sharing and limiting access to devices as they look to prevent potential hacks.
Device security was recently highlighted by a research team from cybersecurity firm McAfee that broke into a central patient monitoring station in seconds and modified patient vital signs.
Central monitoring stations allow nurses and doctors to keep an eye on the vital signs for several patients at once. An attack could lead to patients receiving the wrong medications or unnecessary tests.
The cyberattack threat is forcing hospitals and medical device manufacturers to take new measures to protect networked devices from hackers. The average cost of a successful cyberattack across all industries is $3.8 million, according to the 2018 Cost of a Data Breach Study released by the Ponemon Institute in July.
Cybersecurity is a rapidly evolving field, and medical device software can become outdated rapidly, exposing them to hacking threats.
One way to mitigate cybersecurity risks is to limit access to a networked medical device. GE Healthcare manufactures a patient monitoring system that functions on a dedicated and isolated network and has no connection to the larger hospital network, a spokeswoman for GE Healthcare, told Bloomberg Law.
The McAfee test involved hacking into unencrypted clinical networks, and it didn’t identify any weakness that would render the GE systems vulnerable to remote hacks, the spokeswoman said.
Medical device users should also conduct frequent risk assessments of all their internet-connected devices, Richard Staynings, chief security and trust officer at Nashville, Tenn.-based Clearwater Compliance, told Bloomberg Law.
Medical devices take about five or six years to go through testing and clinical trials before they receive Food and Drug Administration approval, meaning that brand-new devices arriving in hospitals today were designed using technology that may already be out of date, Staynings said.
“Anyone connecting their 2012 Windows computer to the internet without any security software or updates would more than likely be compromised inside 10 minutes, yet that’s what we do with medical devices,” Staynings said.
Medical devices that can’t be updated or retired should be isolated from a hospital network using compensating security controls, Staynings said. Many of the larger hospital systems are turning to micro-segmentation, which keeps a tight control over access to specific medical devices, Staynings said.
Patient monitoring devices are the latest medical devices to face potential hacking threats, following April reports from the the FDA on the vulnerability of cardiac defibrillators, commonly known as pacemakers.
Abbott Labs, for example, had to issue a security patch to fix security vulnerabilities within several pacemaker models.
The threats have also hit the radar screen of the Health and Human Services Office of Inspector General, which is reviewing the cybersecurity of networked medical devices for a report that will be released by the end of September, an OIG spokesman told Bloomberg Law.
Medical device manufacturers are focused on fixing cybersecurity vulnerabilities and are in the process of creating an information sharing and analysis organization (ISAO) for the device industry, Zack Rothstein, associate vice president for technology and regulatory affairs at the Advanced Medical Technology Association in Washington, told Bloomberg Law. The new organization will help manufacturers share cybersecurity threats and vulnerabilities with each other.
The ISAO is still in the development phase but will be operating by the end of the year, Rothstein said.
Awareness of the cybersecurity threat to medical devices has grown, but the actual threat has remained static, Rothstein said.
“We’re not aware of a medical device being targeted and hacked,” Rothstein said.
However, even a theoretical threat has to be treated very seriously, and medical device manufacturers are working closely with the rest of the health-care sector to prevent any hacks.
The McAfee research was presented at mid-August hacking conferences in Las Vegas. The researchers were able to exploit a software vulnerability and make real-time changes to patient vital signs, which include everything from heart rhythms to oxygen levels.
Medical device cybersecurity should be a shared responsibility among manufacturers and device users, Rothstein said. A lot of large hospital systems have sophisticated cybersecurity policies and systems, but smaller facilities often don’t have very robust cybersecurity, Rothstein said.
There’s an ongoing debate over how cybersecurity risk and liability should be shared by device manufacturers and end users, Rothstein said. “We don’t have a good sense of how it could be done,” Rothstein said.
“This is absolutely a major concern for hospitals, but it’s unclear if it’s a real concern for the device makers as they continue to produce insecure devices,” Mac McMillan, president and chief executive officer of CynergisTek, a cybersecurity consulting firm in Mission Viejo, Calif., told Bloomberg Law.
The Black Hat and DefCon conferences in Las Vegas where McAfee presented its research showed how vulnerable some of these medical devices are, but there’s a real lack of awareness of the risks that exist in deployed devices in most hospitals, McMillan said.
In some cases, hospitals can’t even produce an accurate inventory of their devices, McMillan said.
All Bloomberg BNA treatises are available on standing order, which ensures you will always receive the most current edition of the book or supplement of the title you have ordered from Bloomberg BNA’s book division. As soon as a new supplement or edition is published (usually annually) for a title you’ve previously purchased and requested to be placed on standing order, we’ll ship it to you to review for 30 days without any obligation. During this period, you can either (a) honor the invoice and receive a 5% discount (in addition to any other discounts you may qualify for) off the then-current price of the update, plus shipping and handling or (b) return the book(s), in which case, your invoice will be cancelled upon receipt of the book(s). Call us for a prepaid UPS label for your return. It’s as simple and easy as that. Most importantly, standing orders mean you will never have to worry about the timeliness of the information you’re relying on. And, you may discontinue standing orders at any time by contacting us at 1.800.960.1220 or by sending an email to email@example.com.
Put me on standing order at a 5% discount off list price of all future updates, in addition to any other discounts I may quality for. (Returnable within 30 days.)
Notify me when updates are available (No standing order will be created).
This Bloomberg BNA report is available on standing order, which ensures you will all receive the latest edition. This report is updated annually and we will send you the latest edition once it has been published. By signing up for standing order you will never have to worry about the timeliness of the information you need. And, you may discontinue standing orders at any time by contacting us at 1.800.372.1033, option 5, or by sending us an email to firstname.lastname@example.org.
Put me on standing order
Notify me when new releases are available (no standing order will be created)