Featured Product
This Week in Quality Digest Live
FDA Compliance Features
Ryan E. Day
How BioBridge Global leverages a digital QMS in the heavily regulated world of regenerative medicines
Taran March @ Quality Digest
From digital submissions to integrated document control, the agency moves into the lean arena
Dirk Dusharme @ Quality Digest
By scaring off small medical-device companies, Canada could limit number of important and innovative products
Mike Richman
For answers to some troubling life-science questions, ask a quality professional
Ryan E. Day
Finch Therapeutics forges a QMS for a life-saving treatment not yet approved by the FDA

More Features

FDA Compliance News
VQIP allows for expedited review and importation for approved applicants that demonstrate safe supply chains
An invite from Alcon Laboratories
Intended to harmonize domestic and international requirements
The FDA wants medical device manufactures to succeed, new technologies in supply chain managment
Pharma quality teams will have performance-oriented objectives as well as regulatory compliance goals
Strategic investment positions EtQ to accelerate innovation efforts and growth strategy
The FDA’s RMAT designation goes live
Awards help states implement multiyear produce-safety systems

More News

Ann Cleland

FDA Compliance

Are Your Medical Devices Secure?

Physical well-being and confidentiality depend on it

Published: Wednesday, October 4, 2017 - 11:02

If your hospital or clinic uses a Windows 7-based version of a Siemens PET/CT or SPECT system, it could be vulnerable to attack by a relatively low-skill hacker, according to a July 26, 2017, security advisory from the company.

The Industrial Control System Cyber Emergency Response Team (ICS-CERT), a division of the U.S. Department of Homeland Security, also released an advisory on the vulnerabilities, each of which were scored at a “critical” level of 9.8 out of 10 on the Common Vulnerabilities Scoring System (CVSS). And recently, the FDA recalled 465,000 pacemakers after finding vulnerabilities that could let hackers reprogram the devices.

Both advisories note that the exploitability of these vulnerabilities depends on an organization’s configuration and deployment environment. In a network that lacks proper segmentation or other access controls, a successful hack of a medical device could open a portal into the larger network.

All of which brings us to the essential question: What havoc could a malicious actor wreak, not just on the device itself, but on the confidentiality, availability and integrity of your entire IT system?

A matter of life and death

The game of overhyping cybersecurity risks for marketing purposes is one we try hard not to play. However, we don’t think it’s overstating the case to say that vulnerabilities in medical devices can have fatal consequences. Former U.S. Vice President Dick Cheney knew that, which is why he had his wireless pacemaker disabled.

Most patients don’t have a high-profile target on their backs, but their medical records do. A single Medicare or Medicaid medical record commands up to $500 on the black market. Vulnerable medical devices can serve as a huge blinking arrow beckoning cyber thieves to this rich bounty.

Regulators take cybersecurity very seriously. The Centers for Medicare & Medicaid Services (CMS) has hit HIPAA-covered entities with multimillion-dollar fines for privacy and security violations.

A task force convened by the Secretary of Health and Human Services stated in its June 2017 “Report on Improving Cybersecurity in the Health Care Industry,” “Healthcare cybersecurity is a key public-health concern that needs immediate and aggressive attention.”

The FDA issued recommendations for improving the security of connected medical devices. Among these nonbinding recommendations, the FDA urges that “manufacturers should address cybersecurity during the design and development of the medical device, as this can result in more robust and efficient mitigation of patient risks.”

Follow good security hygiene

Unfortunately, “security by design” remains the exception rather than the rule. But users of these devices can implement some “basic hygiene” measures to mitigate the impact of vulnerabilities such as those in the Siemens molecular imaging devices.
Isolate medical devices from the electronic health record (EHR) and the rest of the network. Imagine an intruder breaks in through your front gate only to find all the doors to your house unlocked. This scenario is frighteningly close to reality for many hospitals and clinics. When connected medical devices are hooked into the larger IT network, an attacker can gain access to the device and leapfrog easily to patients’ medical files and other valuable, sensitive data. In addition to a properly segmented network, other controls healthcare IT departments should strongly consider include locating medical devices behind firewalls and making them inaccessible from the public internet.
Implement patches as soon as they become available. Unfortunately, medical device manufacturers often don’t have the infrastructure to identify vulnerabilities and issue patches. Even when manufacturers do issue patches, the IT departments of resource-strapped hospitals and clinics may not get the message.
Back up all systems regularly. A backup and system restoration process will not prevent a hacking incident, but it will minimize the consequences of a successful attack.

No matter your role, it is within your power to improve cybersecurity in your organization simply by asking the question, “What are we doing to prepare for a cybersecurity incident?”

Even if you don’t get a satisfactory answer, keep asking. The safety of your patients and the stability of your organization may depend on it.

Discuss

About The Author

Ann Cleland’s picture

Ann Cleland

Ann Cleland is a partner at HORNE Cyber where she oversees all aspects of cyber assurance services. Cleland’s depth of knowledge in assurance covers service to a variety of clients in both external and internal audit capacities including governmental A-133 audits; and in industries as diverse as real estate, healthcare, nonprofit, retail and manufacturing.