How Vulnerable Is Your Medical Device to a Cyberattack?

An industry expert discusses how medical device companies need to have a shift in thinking when handling cybersecurity threats.

Heather R. Johnson

September 12, 2024

7 Min Read
EThamPhoto/Getty Images

At a Glance

  • Experts like Shiva Nathan argue developers must adopt a forward-thinking approach to data security.
  • The increase in connected medical devices amplifies security risks.
  • Nathan will be giving a presentation on cybersecurity during MD&M Minneapolis on Wednesday, Oct. 16, 2024.

Hospitals and health systems large and small are prime targets for cyberattacks, compromising sensitive patient data and putting lives at risk. And that risk is on the rise: Between 2022 and 2023, the number of healthcare sector attacks more than doubled according to the Cyber Threat Intelligence Integration Center.

These attacks not only compromise patient care but also bottom lines. The massive Change Healthcare breach cost larger health systems about $100 million per day. The perpetrators are sophisticated enterprises, often driven by foreign countries considered a threat to the American public. Sometimes, these bad actors enter through systems that lack multifactor authentication. Other times, they enter through connected medical devices.

With more connected devices comes more risk. These devices, and their software, link to electronic medical records systems, vendor systems, and payor systems. Any weak link in the chain presents an entry point for an attack.

In response to the increase in cybersecurity breaches, FDA issued guidance on device design, labeling, and documentation. While FDA’s framework is strong, Shiva Nathan, founder of Onymos, a developer of solutions for software and application development, believes medical device developers must go beyond that guidance to properly secure their devices.

Related:How to Navigate FDA's Medical Device Cybersecurity Recommendations

MD+DI spoke with Nathan recently to get a handle on the gravity of the situation. He also shares what needs to shift within medical device development to mitigate the risks associated with connected devices and systems.

Let’s start with the million-dollar question. How vulnerable are connected medical devices specifically to cyberattacks?

Nathan: It’s not even a million-dollar question anymore. It's like hundreds of billion-dollar or a trillion-dollar question because healthcare is a huge part of the U.S. GDP.

The bad actors are nation-states with large budgets behind them. “Countries of concern” is how the White House refers to them.

If a nation-state can make our healthcare sector vulnerable, it impacts our larger economy. It's not about getting your data or my data. It's about how to make our healthcare costs go through the roof.

Bad actors look for a vulnerability, a weak link in the chain, through which they can attack, hold data at ransom, or get a hospital to shut down. It's much more sinister.

How common is it for bad actors to use a medical device or medical device software as an entry point to get into a larger set of data?

Nathan: It’s very common. Medical devices are made by hardware manufacturers. Software is not second nature to those with traditional hardware backgrounds. Software and addressing software vulnerabilities are the domain of software companies. That's why medical devices are lagging behind when it comes to software and understanding its vulnerabilities.

Related:Is Your Company’s IP a Cybersecurity Risk?

As recently as 10 to 15 years ago, these companies were making medical devices that just sat at the bedside. The data did not leave the device. Many of these devices have now become connected devices, but making the software that supports them is an afterthought right now. And that's why we’re seeing these problems today.

Cybersecurity challenges are changing medtech

Skilled labor shortage notwithstanding, should medical device companies start recruiting specialized talent?

Nathan: Every industry is transforming itself to be a software industry. The medical device industry will become a software industry in the next 10 to 15 years, if not already. The leadership creating and upgrading these medical devices will come out of software. Then it will become second nature to them to think about software, cybersecurity, and so on.

Copy_of_Copy_of_Copy_of_I_often_talk_about_the_importance_of_converging_technology_with_technique_–_you_can_have_great_technology_but_if_it_s_not_being_used_in_the_appropriate_way_then_it_may_not_(1).png

FDA is prioritizing medical device cybersecurity, as shown in its finalized guidance and recent update. Are the recommendations in these documents enough?
Nathan: No, we are running to where the puck was. We are not moving to where the puck will be.

Related:Decrypting FDA's RTA Policy for Cybersecurity

We have to start thinking about where that puck will be because the people who are trying to attack us are no longer what we used to see in movies: one computer wizard typing furiously on a keyboard, sitting in the basement or a garage, and trying to hack. It's not that. These are well-funded companies with hundreds of thousands of engineers sitting in data centers with vast resources and CPU power trying to attack our nation's infrastructure. And they're reading the same document that FDA put out.

The onus is on the medical device companies to plan ahead. FDA is doing what it can, which is saying, ‘These are the problems we know about; make these things stronger.’ That's what they can do.

Smart medical device CIOs, CTOs, and CISOs are already thinking about data leakages, vulnerabilities, the cost of a breach or attack, and the risk of a recall. It’s at the top of their minds now.

Where is the puck today?

Nathan: When devices become connected, and you bring all of that data to a central location, I call this a honeypot problem. If you keep a honeypot in your house, all the bees will come. There is a huge return on investment for the hackers to attack a honeypot—the central location where everyone’s data is aggregated. These honeypots are the SaaS vendors we all use. Why waste time and effort attacking one medical device company when you can attack that company’s SaaS vendor and get even more data?

With the rise of AI tools and services, there is also the problem of whether or not we can even truly anonymize our data anymore. I'll give you a hypothetical use case. Let's say a person goes to the local urgent care to get tested for a sexually transmitted disease. The nation-state actors get that data.

The hospital replaced his name with 12345. The nation-state pairs that result with a blood pressure measurement they recovered of, let's say, 130 over 90. Who are all the men in this neighborhood that have this blood pressure? How many of their phones were in this urgent care neighborhood between 8 o'clock and 10 o'clock? How many of them went to this pharmacy to get the medication? That’s one person. And let's say that one person happens to be a congressman. Now, the nation-state can pressure the congressman.

It used to be tough to correlate all this information. But now, with machine learning and AI, the process of finding correlations becomes much faster and easier. 

What is the most valuable data to hackers within a healthcare environment?

Nathan: Every piece of data about you and your patients is important. All the bad actors need is a small piece of the puzzle to get started. No data is too trivial not to be secure.

What recommendations do you have for manufacturers of legacy devices, as well as manufacturers developing new devices to secure their products?

Nathan: For new devices, manufacturers must develop a data posture right from the clean-paper design. Security posture alone is no longer enough. There needs to be a data posture. They must think about where the data from the device is going. How is every single piece of data obfuscated and encrypted? Should the data stay in the device?

If you are using a SaaS vendor, start asking questions. Why should I give this data to a SaaS vendor? When software as a service started, it was supposed to be an exchange of money for service. But it became an exchange of money and data for service. That model is broken.

We want to change it, so the data stays with you. Does the vendor need your user data? Can the service be obtained without giving up your data?

For legacy devices, upgrade cycles have to happen sooner because they are the weakest link in the chain, and if they are not upgraded, they will break. That's more important than making your device fancier.

Nathan will be giving a presentation titled How Vulnerable Are Software, Devices & Organizations to a Supply Chain Attack? at MD&M Minneapolis on Wednesday, Oct. 16, 2024.

About the Author

Heather R. Johnson

Heather R. Johnson is a consultant and writer for the medical and clinical technology industries. She’s based in the San Francisco Bay Area.

Sign up for the QMED & MD+DI Daily newsletter.

You May Also Like