Why Medical Device Cybersecurity Is Essential
Everything from wearable and remote devices to the CT, MRI, ultrasound, and X-ray machines you find in hospitals is connected to a network, and anything connected to the internet is vulnerable to cyber attacks — no exceptions. That includes your smartwatch, and health apps on your smartphone, which contain location and sensitive health information.
Unfortunately, the growing cybersecurity risks for medical devices hasn’t increased healtcare’s attention to security. Many providers have inadequate budgets for development or testing and don’t provide necessary updates to the software, primarily because they never planned for it when first developing the devices and software.
The healthcare sector isn’t any better, as only 4-7% of the average healthcare facility’s budget is spent on cybersecurity. Most other industries spend up to 15%, including companies in the financial sector. There’s a pressing demand for stronger medical device cybersecurity, and the FDA’s recent addition of Section 524B (Ensuring the Cybersecurity of Devices) to the FD&C Act, reflects this need.
Read on to discover why cybersecurity is essential for network-connected medical devices, what the government is doing to address the problem, and why your data is at risk.
Table of Contents
What Is Medical Device Cybersecurity?Be Proactive — Protect Your ePHI and PII
FAQ
What Is Medical Device Cybersecurity?
Medical device cybersecurity refers to the steps taken to ensure any medical device connected to a network is protected from cyberthreats, so patient electronic protected health information (ePHI) and personally identifiable information (PII) remain private. This includes all remote and in-house technologies in the healthcare sector, as well as any apps that are part of healthcare services.
The International Medical Device Regulatory Forum provides several ways for medical device manufacturers to improve cybersecurity, urging them to consider the following factors:
- How the device interacts with other devices and networks, how it communicates with devices supporting less secure methods of communication, and how to prevent unauthorized access and modification during data transfer.
- How the device could interfere with other devices and networks, if it may cause the software to lag or work improperly, if it’s cross-compatible with other devices, and whether custom-made devices (CMDs) may cause network disruption.
- Whether the level of encryption and other security measures for data storage and transfer are adequate, and if confidentiality risk control measures are required.
- Any risks affecting device integrity, including evaluating system-level architecture to determine if all obligatory design features are present alongside anti-malware controls.
- Methods of user access control and how to securely assign user roles and privileges.
- How to communicate information about regular updates, how software and hardware will be updated, requirements for conducting updates, and code verification for connection authenticity, as well as any other control measures in place.
Medical Device Cybersecurity Vulnerabilities
The biggest concern with any form of medical device is the large quantities of ePHI and PII they collect and store daily. Add poor cybersecurity to the mix and medical devices are prime targets for malware attacks, data theft, and device hijacking.
It isn’t just the new medical gadgets that are vulnerable — the FBI has increased concerns over legacy devices, as they pose some of the worst risks. Legacy software, protocols, and hardware are often outdated as medical firms don’t put much focus on upgrades or on cybersecurity of any kind. An overall lack of security makes older devices like insulin pumps a prime target for cybercriminals and results in deadly consequences.
Medical devices are constrained by ethical, budgetary, and regulatory factors, including compliance with regulations in the US, EU, China, Australia and the UK to enter medical devices into the market.
Legislation surrounding medical device cybersecurity also varies from one region to another. For example, the European Medical Device Regulation (MDR) and In Vitro Diagnostics Medical Device Regulation (IVDR) define multiple cybersecurity regulations under ‘’general safety and performance requirements’. The US Food and Drug Administration (FDA) offers guidance documents explaining how manufacturers can meet all necessary cybersecurity requirements for medical devices.
While CMDs give patients more freedom in terms of where and when medical treatments and monitoring can happen, they raise serious concerns over the privacy challenges associated with transmitting large amounts of patient information. Several laws are in place to help safeguard patient data including the EU’s General Data Protection Regulation (GDPR), the US’s FD&C Act Section 524B, and the UK’s Data Protection Act 18 (DPA18).
Violating any of the above regulations can be incredibly expensive, not to mention the damage it does to the manufacturer or healthcare facility’s reputation. Penalties can range from millions in fines and damages to patent refusals. Despite this, many CMD manufacturers still don’t take cybersecurity seriously during and after device development.
Unauthorized access is also a major concern as it can have more severe consequences than data theft. Attacks on CMDs can put a patient in danger and even cause fatalities. Without proper management, cybersecurity incidents can easily result in unintentional device malfunctions or delay necessary treatments.
Other key areas of neglect include establishing product security incident report teams, providing timely updates and patches to devices, and post-development cybersecurity planning. Providing updates and patches in a timely manner ties into the lack of ownership and responsibility for legacy and non-legacy CMDs within healthcare institutions. Similarly, a small budget can influence the adequacy of pre and post-development planning, ultimately leaving devices more vulnerable to threats.
This gross oversight means cybercriminals view healthcare providers, and the medical industry in general, as easy targets. So, exactly how much ePHI and PII do you put at risk using a CMD? Let’s take a look at the various types of CMDs and the cybersecurity risks accompanying them.
Medical Device Examples, Uses & Risks | |||
---|---|---|---|
Type of Device | Example | Uses | Risk |
Remote Patient Monitors (RPMs) | ⚚ Continuous glucose monitoring ⚚ Digital blood monitors |
✅ Reminds patients to take meds, allows doctors to track health, and/or send vitals to healthcare professionals | ⚠️RPMs collect and store massive amounts of ePHI, so unauthorized users could access this data and exploit your PII |
Wearables |
⚚ Smartwatches ⚚ Software as a medical device (SaMD) |
✅ Monitor menstrual cycles, heart rate, sleep patterns, and more | ⚠️SaMDs use behavioral and location tracking, and most share your data with third parties |
Robotics |
⚚ Intelligent drug dispensers ⚚ Life alert tags |
✅ Help maintain medication schedules, alert EMS and law enforcement, and detect falls or other trauma | ⚠️Malware and fatal misinformation |
Artificial Intelligence (AI) & Machine Learning (ML) technologies |
⚚ Smart sensors ⚚ Some wearables and robotics |
✅ This form of technology could eventually detect an oncoming heart attack, stroke, seizure, or other medical issues | ⚠️Difficult to manage user consent, which AI also raises serious cybersecurity and ethical issues |
Recent Healthcare Cybersecurity Breaches & Attacks
In the past eight years, healthcare cybersecurity breaches have skyrocketed. According to Privacy Rights Clearinghouse, the healthcare sector accounted for 76.59% of all data breaches between 2015 and 2019. The WannaCry cyber attack in 2017 practically crippled the National Health Service.
Once the crypto ransomware worm had access to critical files, it encrypted and held them ransom. The worm had the ability to spread across systems and networks: once a PC was infected, cybercriminals demanded hefty ransom payments to unlock those files as well. This meant many hospitals and other healthcare facilities were unable to provide care to patients. Worse yet, all of it was entirely preventable with regular updates. In fact, two months prior to the WannaCry attack, Microsoft issued a patch which, if applied, would’ve stopped the ransomware.
Recovering from these cyber attacks isn’t cheap either. Companies face ransom demands from cybercriminals, penalties/fines from the government, not to mention damages and legal fees. This is on top of the cost of downtime and upgrades, patches, or replacements for outdated devices and software.
Diving Deeper — Other Well-Publicized Medical Device Security Incidents
Independent parties have uncovered plenty of other cybersecurity vulnerabilities in medical device software and hardware. Here are just a few examples:
Cyberattacks on the healthcare industry aren’t showing signs of slowing down. Based on a study by Check Point Research, cyberattacks against the healthcare industry increased by 60% between 2021 and 2022 — averaging a cost of over $10 million per incident.
Current FDA Medical Device Cybersecurity Standards
In late 2018, it became clear there was an increased need to address medical devices’ security vulnerabilities. The FDA and US Department of Homeland Security agreed to work together to develop written procedures for sharing sensitive information about cybersecurity threats with major stakeholders in an attempt to mitigate the risk of leaks.
The 2022 PATCH Act helped ensure any device requiring FDA approval after March 2023 would include cybersecurity measures to increase patient safety. Consequently, an amendment to the FD&C Act, Section 524B, became effective March 29, 2023. This created a cybersecurity standard for manufacturers of medical devices in the US.
FD&C Act, Section 524B – A Brief Overview of Key Points
Section 524B of the FD&C Act was amended in 2023 to include “Ensuring Cybersecurity of Devices.” This requires sponsors, aka manufacturers, developing medical devices to submit plans for monitoring, identifying, and addressing potential cybersecurity threats with their device development plan.
These plans also need to contain information about potential threats and vulnerabilities in the device during all stages of design and development. Sponsors must outline how they will continue to monitor processes and post-market vulnerabilities to ensure the device software and related systems remain cyber-secure.
Manufacturers must update and patch devices and all related systems to help prevent cyberattacks. This includes addressing (a) unacceptable vulnerabilities in a relatively timely manner on a justified regular cycle, and (b) critical vulnerabilities which may cause unnecessary risk as soon as possible.
All sponsors are expected to comply with additional cybersecurity requirements from the Secretary when needed, ensuring devices and related systems have working cybersecurity measures in place.
Manufacturers and sponsors of medical devices must submit information on how they meet current requirements under section 524B. Additionally, they need to provide the Secretary with a software bill of materials, including commercial,
open-source, and off-the-shelf software components.
Punishments for non-compliance can range from refusing approval pending the sponsor submitting required information, to regulatory and legal consequences for failing to provide adequate cybersecurity for existing devices.
What Section 524B of the FD&C Act Means for Healthcare Providers & Manufacturers
Healthcare providers and manufacturers face potential fines for non-compliance with section 524B. Manufacturers could have patents for new devices refused because they don’t meet regulations. There’s also additional costs associated with reworking plans, device downtime, and, in some cases, civil damages.
The changes to the FD&C Act under section 524B pose plenty of challenges for healthcare providers and manufacturers, including:
- Updating thousands of legacy medical devices adds an additional burden for healthcare facilities, especially since some legacy devices may not support updates.
- Dealing with the cost of replacing outdated devices recalled by the FDA can be daunting for hospitals.
- Many healthcare facilities don’t keep an updated inventory of all network-connected medical devices, which makes it virtually impossible to determine if devices have adequate protection.
- Updating or replacing medical devices requires solid planning and collaboration between manufacturers and healthcare facilities, which can be difficult.
- Manufacturers will need to provide better custom security controls throughout the device lifecycle.
- Manufacturers will need to develop better service schedules to ensure all medical device software and hardware have proper cybersecurity in place.
- Manufacturers must commit to open and honest communication with healthcare facilities if software or hardware for their devices is no longer considered secure per the FDA’s standards.
- It’s not feasible for hospitals to replace every outdated device due to budget restrictions. This means manufacturers will need to supply alternative solutions and work on developing security patches.
Do Hospitals & Healthcare Providers Currently Meet FDA Guidelines?
Not even close. Most manufacturers of medical devices and apps, as well as the healthcare facilities using them, definitely don’t focus on cybersecurity enough, yet section 524B contains security requirements for medical devices — legacy and new. It’s a critical step toward ensuring cyber medical devices offer adequate online security.
The requirements are fairly straightforward for the most part, but some areas are open to interpretation — especially when it comes to legacy devices, as it primarily includes ‘recommendations’ for how cybersecurity ‘should’ be handled.
Manufacturers and healthcare providers need to be more diligent to ensure a device or SaMD is secure before making it available to patients. Efforts to create data protection measures, thoroughly test device integrity, maintain software and hardware by providing updates and patches regularly, and include 2FA options for user authentication would go a long way. But individuals can also help by protecting their PHI.
How to Protect Your ePHI and PII
If you use smart watches or smartphone apps to track and monitor your health, you can add some much-needed protection by setting up a VPN on your router. This secures any network-connected device you use to access medical information, including computers, smartphones, smartwatches, and more.
PIA provides unbreakable AES encryption to make your health data unreadable when in transit. We also have dedicated apps for iOS, Android, Windows, macOS, and Linux, so you can access online medical records and use SaMDs privately.
Be Proactive — Protect Your ePHI and PII
Most of the blame tends to shift toward the manufacturer of the medical device or app and healthcare facilities, but this doesn’t mean you’re off the hook. As a user, you can also be diligent in protecting your privacy while using medical devices and SaMDs.
If your device is getting older, talk to your medical provider to find out whether a newer version is available and see if you can replace your old one. Medical device manufacturers are held more accountable under 524B, so newer devices must be compliant with higher cybersecurity standards.
Make sure you apply medical device and SaMD updates to maintain device integrity, use 2FA and anti-malware measures when available, and use PIA VPN for added security.
FAQ
Medical device cybersecurity encompasses all the security measures taken during development and after the medical device is in use, including providing updates, security patches, adequate encryption, malware protection, and more. This helps ensure any medical device connected to a network is secure, and decreases the risk of cyberattacks.
While medical device cybersecurity standards only pertain to device manufacturers and healthcare facilities, you can do things to mitigate the risk of a cyberattack while using SaMDs like fitness and health tracking apps. Pay close attention to app permissions requests and download a trustworthy VPN service to ensure traffic encryption.
Medical devices collect, store, and transfer massive amounts of ePHI and PII — some can even tell you what dose of medication to take.
Without adequate cybersecurity in place, your medical devices are easy targets for ransomware. This puts your personal information, and potentially your life, at risk any time you connect your device to a network — especially public wifi.
NIST is a five-step framework for continuously managing cybersecurity on medical devices. The five steps are identify, protect, detect, respond, and recover.
Gartner Research estimated the NIST framework would be used by 50% of US organizations in 2020. Yet, a 2023 Healthcare Cybersecurity Benchmarking Study found 40% of facilities using NIST still aren’t compliant with response and recovery planning.
Some medical devices are not compatible with VPNs. Including this capability could go a long way toward meeting the ‘protect’ stage of the NIST framework in medical equipment.
Yes, but not just any VPN. PIA VPN improves your network’s security and gives you the privacy you need. We offer strong VPN encryption methods to make your traffic unreadable. Our VPN also has a strict No Logs policy, so your online activity remains private while you’re connected.
Please note some medical devices don’t support the use of VPNs yet. Contact your healthcare professional or the manufacturer of your device to know if configuring PIA to your home router can increase device security. Fortunately, you can use our dedicated iOS and Android apps on your smartphone to increase data privacy while using SaMDs.