Device Makers Take Note: Cyber Attacks Are Already Hitting Healthcare

Find out why some medical device manufacturers aren't adequately protected against cyber attacks and what companies can do to increase cybersecurity.

Marie Thibault

Cyber attacks aren't merely a threat of the future for healthcare companies and hospitals. In recent months, hospitals all over the country—California, Indiana, Kansas—have reported cyber attacks on their network systems that store patient information. The personal data of millions of patients may have been compromised.

Stephanie Preston, cyber embedded systems engineer at Battelle, says that she is aware of various instances of ransomware attacks on hospital systems and malware being found on medical devices. And as MD+DI has reported, the FBI and FDA have issued alerts and safety communications about cybersecurity for medical devices.

Fortunately, there are signs that all of these headlines and alerts are hitting home for medical device manufacturers.

Knowing Is Half the Battle

Preston says that she has noticed more awareness in the medical device community about the need for cybersecurity. "I think we're still at the beginning, but I think I'm really optimistic that we're moving in the right direction . . . There's still a lack of knowledge, but there's a huge area of interest, which I find a great sign," she says.

As more evidence that cybersecurity is becoming a hot topic for the device industry, an upcoming conference being hosted by the Massachusetts Medical Device Industry Council (MassMEDIC), "Preventing the Unthinkable: Issues in MedTech Cyber Security—Trends and Policies," is devoted to the topic. The event, taking place on October 1, was conceived to put regulators, security experts, and medtech professionals in one room "to come together to talk about common trends and policies and best practices, to share with a larger audience from the medical device community," says Tom Sommer, president of MassMEDIC.

Where's the Talent?

Preston, who will be speaking at the conference, says that the increasing level of education about medical device professionals is lifting one of the barriers to better defenses against cyber attacks. But more education isn't enough, Preston notes. Lack of talent is another hurdle. "All industries that need cybersecurity professionals are struggling to find enough people who understand security to fill those roles," she says.

As someone who spends her days reverse engineering systems, Preston says that she and most other security professionals are self-taught. "I'm hoping that [the talent shortage] will start to be cured as more and more universities adopt cybersecurity programs," she says.

Long Development Cycles

Unlike the tech and software industries, medical device companies have years-long product development timelines. It is not uncommon for companies to have a five to seven year horizon on commercializing a new device. And once the device is being used by or implanted in a patient, it may have a very long life. That can be another challenge for manufacturers looking to prevent cyber attacks. Preston says, "That's something that's a little unique to the medical device community. I hear people draw correlation between the financial industry and payment processing, credit card swipe machines, but the truth is, those machines have a much shorter life cycle both from development and in the field . . . it really makes medical devices that much more unique—and challenging, truthfully."

What to Do?

So how can a medical device maker keep up with the latest cybersecurity defenses? It's critical to have someone who has both detailed knowledge of hackable weaknesses and the medical device's features. Preston explains, "Say I see a new attack that comes out for Bluetooth, or a certain mode of Bluetooth. Well, if I'm ingrained in the design team, I know, 'Hey, these are the three devices that could essentially be vulnerable to that new exploit.'"

While the lack of talent may make finding that expert difficult now, it's becoming more and more essential, not just for patient safety and company reputation, but also for manufacturers' pocketbooks. Preston points out that some purchasing agreements and discussions with hospitals are beginning to incorporate the issue of security vulnerabilities and putting the onus on device manufacturers. Whether this will become a larger trend remains to be seen.

One thing that device makers should definitely do? Stop using outdated technology. "Everytime I hear something like "this device is running Windows XP," it honestly—if I were hooked up to some kind of heart rate monitor, you would see it spike—because that terrifies me," Preston says.

Preston recommends manufacturers consider investing in fuzz testing, which automates testing of the device against hundreds of thousands of pieces of data in order to identify problems. She says she thinks fuzz testing offers the "best price per pound," but does point out that a security professional is needed to help companies analyze the results of the testing.

Sommer notes that device companies are putting more focus on the software components of device design. "We're seeing elevated interest in these issues and sort of a new aspect of product development, which is software development, the code writer . . . becoming that much more heightened because of these incidents," he says.

Want to catch up on the latest in medical device innovation? Register for the MD&M Minneapolis conference , November 4–5, 2015.

Marie Thibault is the associate editor at MD+DI. Reach her at marie.thibault@ubm.com and on Twitter @medtechmarie 

[Image courtesy of SHEELAMOHAN/FREEDIGITALPHOTOS.NET]