Featured Video
This Week in Quality Digest Live
FDA Compliance Features
Jon Speer
What’s the difference?
Ann Cleland
Physical well-being and confidentiality depend on it
Anna Abram
Public dockets will solicit feedback from patients, consumers, health providers, and state governments
Richard Pazdur
In oncology drug development, government, regulatory medicine, and cancer advocacy
Dirk Dusharme @ Quality Digest
Self-climbing stairs, after-sales service, and can you be too concerned about quality?

More Features

FDA Compliance News
Strategic investment positions EtQ to accelerate innovation efforts and growth strategy
The FDA’s RMAT designation goes live
Awards help states implement multiyear produce-safety systems
The future of medical product development?
Manage risk while meeting regulatory requirements and compliance
FDA believes you can use openFDA to create products that promote public health
Company headquarters and 30 jobs in Dayton, operations in Europe, stay in place

More News

Ann Cleland

FDA Compliance

Are Your Medical Devices Secure?

Physical well-being and confidentiality depend on it

Published: Wednesday, October 4, 2017 - 12:02

If your hospital or clinic uses a Windows 7-based version of a Siemens PET/CT or SPECT system, it could be vulnerable to attack by a relatively low-skill hacker, according to a July 26, 2017, security advisory from the company.

The Industrial Control System Cyber Emergency Response Team (ICS-CERT), a division of the U.S. Department of Homeland Security, also released an advisory on the vulnerabilities, each of which were scored at a “critical” level of 9.8 out of 10 on the Common Vulnerabilities Scoring System (CVSS). And recently, the FDA recalled 465,000 pacemakers after finding vulnerabilities that could let hackers reprogram the devices.

Both advisories note that the exploitability of these vulnerabilities depends on an organization’s configuration and deployment environment. In a network that lacks proper segmentation or other access controls, a successful hack of a medical device could open a portal into the larger network.

All of which brings us to the essential question: What havoc could a malicious actor wreak, not just on the device itself, but on the confidentiality, availability and integrity of your entire IT system?

A matter of life and death

The game of overhyping cybersecurity risks for marketing purposes is one we try hard not to play. However, we don’t think it’s overstating the case to say that vulnerabilities in medical devices can have fatal consequences. Former U.S. Vice President Dick Cheney knew that, which is why he had his wireless pacemaker disabled.

Most patients don’t have a high-profile target on their backs, but their medical records do. A single Medicare or Medicaid medical record commands up to $500 on the black market. Vulnerable medical devices can serve as a huge blinking arrow beckoning cyber thieves to this rich bounty.

Regulators take cybersecurity very seriously. The Centers for Medicare & Medicaid Services (CMS) has hit HIPAA-covered entities with multimillion-dollar fines for privacy and security violations.

A task force convened by the Secretary of Health and Human Services stated in its June 2017 “Report on Improving Cybersecurity in the Health Care Industry,” “Healthcare cybersecurity is a key public-health concern that needs immediate and aggressive attention.”

The FDA issued recommendations for improving the security of connected medical devices. Among these nonbinding recommendations, the FDA urges that “manufacturers should address cybersecurity during the design and development of the medical device, as this can result in more robust and efficient mitigation of patient risks.”

Follow good security hygiene

Unfortunately, “security by design” remains the exception rather than the rule. But users of these devices can implement some “basic hygiene” measures to mitigate the impact of vulnerabilities such as those in the Siemens molecular imaging devices.
Isolate medical devices from the electronic health record (EHR) and the rest of the network. Imagine an intruder breaks in through your front gate only to find all the doors to your house unlocked. This scenario is frighteningly close to reality for many hospitals and clinics. When connected medical devices are hooked into the larger IT network, an attacker can gain access to the device and leapfrog easily to patients’ medical files and other valuable, sensitive data. In addition to a properly segmented network, other controls healthcare IT departments should strongly consider include locating medical devices behind firewalls and making them inaccessible from the public internet.
Implement patches as soon as they become available. Unfortunately, medical device manufacturers often don’t have the infrastructure to identify vulnerabilities and issue patches. Even when manufacturers do issue patches, the IT departments of resource-strapped hospitals and clinics may not get the message.
Back up all systems regularly. A backup and system restoration process will not prevent a hacking incident, but it will minimize the consequences of a successful attack.

No matter your role, it is within your power to improve cybersecurity in your organization simply by asking the question, “What are we doing to prepare for a cybersecurity incident?”

Even if you don’t get a satisfactory answer, keep asking. The safety of your patients and the stability of your organization may depend on it.

Discuss

About The Author

Ann Cleland’s picture

Ann Cleland

Ann Cleland is a partner at HORNE Cyber where she oversees all aspects of cyber assurance services. Cleland’s depth of knowledge in assurance covers service to a variety of clients in both external and internal audit capacities including governmental A-133 audits; and in industries as diverse as real estate, healthcare, nonprofit, retail and manufacturing.