Connected Device Security: Why It's Getting More Serious

FDA is due for more scrutiny over whether it is sufficiently regulating hospitals' networked medical device.

Chris Newmarker

The Inspector General Office at the U.S. Department of Health and Human Services has a new item on its to-do list: determine whether FDA has enough controls to protect networked medical devices at hospitals from the "growing threat" of hacking.

The new goal is part of a recently released Office of Inspector General work plan for the upcoming fiscal year. The office plans to examine whether FDA's oversight is enough to effectively protect patient health information in the devices, as well as ensure safety.

"Computerized medical devices, such as dialysis machines, radiology systems, and medication dispensing systems that are integrated with electronic medical records (EMRs), and the larger health network, pose a growing threat to the security and privacy of personal health information. Such medical devices use hardware, software, and networks to monitor a patient's medical status and transmit and receive related data using wired or wireless communications," the Inspector General Office said in the work plan.

The item notes that medical device manufacturers provide Manufacturer Disclosure Statement for Medical Device Security (MDS2) forms meant to assist healthcare providers when it comes to assessing information security.

The news of the Inspector General Office review is but the latest sign that cybersecurity is increasingly becoming a concern when it comes to medical devices.

As a Wired article states last year: "It's Insanely Easy to Hack Hospital Equipment." In fact, hospitals and other healthcare institutions have likely been hacked through their medical devices without knowing it, according to a report by TrapX, which recreated three such attacks to learn how they work.

In the past, Hackers have apparently not been on many medical device companies' radar. Reuters in 2014 cited a private notice from the FBI alleging that "[th]e healthcare industry is not as resilient to cyber intrusions compared to the financial and retail sectors, therefore the possibility of increased cyber intrusions is likely."

The industry has already seen some major security breaches. Medtronic, for example, disclosed in an annual report that it was victimized by hackers infiltrating the company's computers--and that two other medical device companies faced similar hacking incidents.

"It's like a war, and everything you have in place is not sufficient to counter an attack. ... We have state sponsored hackers. So that's what we're facing now," Olayinka James, then-chief information security officer (CISO) position at Zimmer (now a cybersecurity risk director at GE), said at last year's MD&M Minneapolis.

Hospira, meanwhile, has been hit with a number of FDA safety communications over infusion systems vulnerable to hacking. In one of the latest communications, FDA  advised health providers to stop using a device altogether. Hospira had already stopped making and distributing the device, the Symbiq infusion system, due to unrelated issues that FDA first brought up in 2013.

Chris Newmarker is senior editor of Qmed and MPMN. Follow him on Twitter at @newmarker.

Like what you're reading? Subscribe to our daily e-newsletter.