Are Medical Device Companies Taking Cyber Security Seriously?

Some medical device makers are doing a good job of addressing security risks to their products, while others are lagging, says one consultant.

June 11, 2014

2 Min Read
Are Medical Device Companies Taking Cyber Security Seriously?

Medical device security has been a hot button topic ever since Jay Radcliffe hacked his insulin pump on stage at the Black Hat Security conference nearly three years ago. But are medical device companies really taking the issue seriously?

A recent MD+DI reader poll on the subject after news of the Heartbleed internet security bug went public showed that it’s a mixed bag. Less than 10% of respondents said Heartbleed would spur the industry to take the issue of cyber security seriously, while around one-third said it would likely take an even bigger security breach to bring about change. Two-in five respondents said it’s about time the industry sees the light when it comes to cyber threats.

Geoffrey Pascoe, a specialist master with Deloitte, echoed those results today at MD&M East in New York City.

“Some vendors are taking it very seriously, but it’s very uneven” Pascoe said, adding that companies such as GE Healthcare and Philips Healthcare have had very active medical device security programs in place since at least the early 2000s. Other firms, however, haven’t been as diligent.

Pascoe laid out seven elements that comprise a good medical device security program:

  • Security Risk Assessment

  • Security Event Handling

  • External Communications

  • Metrics and Monitoring

  • Audits and Assessment

  • Education and Training

  • Strategy, Charter Governance, and Policy

And though he said many medical device makers have implemented some sort of a security program, their efforts probably aren't as comprehensive as they should be.

“I would be surprised if all [medical device companies] had every one of these elements in place,” Pascoe said.

As a result, medical device security is compromised more often than many of us think.

“Breaches are happening all the time,” Pascoe said.

As yet, he said he has no firsthand knowledge of a patient being harmed as a result of a cyberattack but added that entire hospitals were affected by network worms that shut down platforms running on Windows in the early to mid-2000s.

“Entire swaths of medical devices were failing within a day,” he said. “That has absolutely happened.”

As governments, regulators, and customers are taking a closer look at the issue, he suspects device companies, too, will start paying more attention to the issue of cyber security.

Jamie Hartford, managing editor, MD+DI
[email protected]

[image courtesy of STUART MILES/FREEDIGITALPHOTOS.NET] 

Sign up for the QMED & MD+DI Daily newsletter.

You May Also Like

Editors' Choice

TGA approval
Regulatory & Quality
Axonics F15 Recharge-Free SNM Nabs Australian TGA Approval
Axonics F15 Recharge-Free SNM Nabs Australian TGA Approval

May 17, 2024

Plastic Syringe
Medical Device Regulations
FDA Adds Two New Chinese Manufacturers to Do Not Use Plastic Syringe List
FDA Adds Two New Chinese Manufacturers to Do Not Use Plastic Syringe List

May 17, 2024

miniature parts for medical devices
Manufacturing
Accumold Brings Medical Micro Molding to MD&M South
Accumold Brings Medical Micro Molding to MD&M South

May 17, 2024

Recent Headlines