The threat of a direct cyberattack on patients’ implanted or wearable medical devices has been limited to TV shows, so far. In reality, that danger could be less than two years away, according to a medical device security expert from Price Waterhouse Coopers (PwC).
Half of patients surveyed this year by PwC said they would be wary of using any connected medical device if such an attack should occur, according to the company’s 2016 report on top health industry issues. Slightly more than half said they would think twice about using devices made by the manufacturer of the hacked device. Nearly 40% would be wary of using a hospital where such an attack took place. Sixty-two percent of consumers told the company last year that they value device security more than ease of use.
The likelihood of a cyberattack that would shut down a pacemaker or cut off insulin supply pales in comparison to that of a cyberattack on patient information stored and transmitted by medical devices, said PwC cybersecurity expert Mick Coady.
No one is pretending it won’t happen, however.
In October 2014, FDA issued a guidance statement recommending that medtech manufacturers consider cybersecurity risks as part of the design and development of medical devices. In July 2015, FDA advised health providers to stop using an infusion pump because of its vulnerability to hacking.
Data breaches not only scare consumers and regulators, they also cost a lot of money. An estimated 85% of large health organizations experienced a data breach in 2014, with 18% of breaches costing more than $1 million to remediate, according to the PwC report.
Meanwhile, medical devices and the information they collect and transmit are exposed to layers of insecurity. Connected devices are vulnerable by virtue of their data transmission connectivity. So are the smartphone apps that gather and send information they transmit, and the hospital IT systems that store it.
Within a hospital, concerns swirl around medical devices that provide vital services to patients and are connected to the hospital’s IT system and Wi-Fi systems, making them - and patients - vulnerable to attack.
Manufacturers and hospitals have a great deal of work to do to safeguard the vulnerability of patients and their private information, as well as their own liability. New devices protected from the outset with security features may have a market advantage over existing ones, Coady said. He has been working with device manufacturers to figure out where in a product’s R&D lifecycle to insert security controls. He advises them to do so “early and often.”
“Those devices capture an enormous amount of patient information and store it on the device, whereas 15 years ago, they did not,” Coady said. “No medical device has ever been built with security in it; none at all.”
In addition to safeguarding their new devices, manufacturers will need to coordinate with hospitals to inventory existing devices, whether they’re on a shelf, implanted in or worn by patients, or freestanding in a hospital, and figure out how to safeguard them from cyber vulnerability. Manufacturers are ultimately liable for a device security breach and are more aware of vulnerabilities than either hospitals or patients, Coady said.
Hospital networks are far safer than individual devices, but still vulnerable. Some have been changing their networks’ zoning to add layers of security for devices, he added.
Ultimately, patients will decide whether to use a connected medical device.
“You weigh up the pro and con that way,” Coady said. “It’s hard not to be weighted toward the medical device operating the way it needs to.”
[Image courtesy of SHEELAMOHAN/FREEDIGITALPHOTOS.NET]
Nancy Crotti is a freelance contributor to MD+DI. Read more of her work at http://nancycrotti.com.