Medical device companies should up their game and view all strategic decisions through the lens of cyber security. Why? Because as medical devices become smarter and more connected, they open the door to more advanced and harder-to-solve cyber security threats.
These threats go beyond fraud and identity theft to endanger patient lives and public health by undermining the efficacy and safety of devices. They’re also bad news for medical device manufacturers (MDMs), harming both their finances and reputation.
Here’s what you need to know about where cyber security threats to medical devices are coming from. And what you can do about them. This includes the latest trends in medical sensors and wireless, regulatory compliance, remote patient monitoring, wearables, aging, AI and ML-enabled devices and legacy technology.
Data breaches, including ransomware attacks, top the list of cyber security threats for the healthcare sector. These breaches are becoming more frequent. The sums of money involved are skyrocketing too, ranging from inflated ransom demands, damages, fines and legal fees to downtime and restoration costs. To put this in context:
This bleak picture of cyber security is driven by several interconnected risks, many of which are unique to medical devices and their manufacturers. Here’s how.
Rapid developments in processing power, device miniaturization, sensors and wireless connectivity are ushering in a new era of smart connected health devices.
Creating a rich supply of sensitive patient data, these next-generation medical devices are allowing healthcare providers to deliver faster diagnoses and better treatments. They’re also shifting health care beyond the hospital and doctor’s office into the home.
The challenge is that the same technologies and features that improve healthcare outcomes for patients also make these devices more vulnerable to security breaches. This can affect the safety and effectiveness of devices and put patients’ health, safety and privacy at risk.
These threats and vulnerabilities cannot be completely eradicated. But the likes of the U.S. Food and Drug Administration (FDA) and the European Medicines Agency place most of the responsibility for mitigating the cyber security risks of medical devices at the door of manufacturers.
Indeed, the FDA makes it clear that MDMs need to manage cyber security risks throughout the entire lifecycle of their products. This includes monitoring, identifying, and addressing cyber security vulnerabilities once medical devices are on the market. It also covers any software upgrades or changes.
As medical devices become more sophisticated, it’s also becoming trickier for manufacturers to meet European GDPR and US HIPAA regulations, which address how patient data is protected, used and shared.
Top of the list of concerns for MDMs are:
Remote patient monitoring (RPM) technology extends the reach of medical professionals by providing a continuous stream of real-time information that allows a constant relationship with patients.
Typical RPM devices include continuous glucose monitors that remind diabetes patients to take their insulin while allowing their doctor to track their condition. Other popular choices include remote digital blood monitors that let patients send healthcare professionals their blood pressure, heart rate, blood oxygen and blood sugar levels.
With their potential to extend life and reduce healthcare costs, there’s a lot to like about RPM technologies and devices. This includes their home-care capabilities and patient-centric approaches to treatments such as chronic pain relief. Hence, it’s predicted that over a quarter (26.2%) of Americans, that’s 70.6 million patients, will be using RPM tools by 2026.
The potential downside of RPM devices is the vast quantities of ePHI that they and their associated ecosystems collect, store and transmit, which opens the door to cyber security vulnerabilities.
In March, for example, an unauthorized individual accessed the protected health data of myNurse, a healthcare startup providing chronic care management and remote patient monitoring services, thereby exposing patients’ demographic, health, and financial information. Since when the California-based company has temporarily shut up shop, a decision it says, “is unrelated to the data security incident.”
Like RPMs, wearables containing software and software as a medical device (SaMD) can be a tempting target for hackers looking to steal personal data, disrupt networks and corrupt communications.
What’s more, over time, users of wearables can become immune to data privacy and sensitivity issues around their device. They also may not be fully aware of what information their wearable is collecting and how that data is shared. Take a recent study of 23 of the most downloaded and highest rated women’s health apps on Apple’s App Store and Google Play. This found that 20 of them shared data with third parties, only 16 displayed a privacy policy and three collected data before consent.
Women’s mobile health apps focused on areas such as fertility and pregnancy should practice increased privacy and security rather than the reverse. So, it’s also worth noting that all these apps allowed behavioral tracking and 14 (61%) allowed location tracking.
Home-care medical devices, including wearables, robotics and remote patient monitoring devices are a good fit for increased life expectancy and our growing preference for aging at home.
Intelligent drug dispensers, for example, can help maintain a consistent medication regime. Wearable devices can monitor a variety of health metrics and also detect falls and send alerts.
These devices give older people more freedoms and independence. They also raise the stakes for MDMs around cyber security. Here’s how.
Artificial intelligence (AI) and machine learning (ML) technologies have the potential to enable medical devices to learn from and act on the real-world data they collect. This includes a capability for devices to improve their own performance and evolve.
As these changes can happen fast in response to new data, and in ways that are difficult to foresee, AI and ML-enabled devices are also an ethical and cyber security minefield.
First, AI and ML need data, which raises the problems of how to manage user consent and the mountains of ePHI involved. Second, cyber security measures need to prevent attacks that lead to inaccurate, even potentially harmful, recommendations for treatment.
As such, the FDA is currently considering how to adapt its review process for AI and ML-enabled medical devices to embrace and regulate their iterative improvement ability while assuring patient safety across the total product lifecycle.
Not all cyber security challenges are about shiny new technologies and products. Many medical devices today use outdated or insecure software, hardware and protocols that make them more vulnerable to cyber security compromises. Indeed, legacy technology is the norm.
These critical devices include pacemakers, drug infusion pumps and insulin pumps. In theory, cyber criminals can reprogram these devices to say, disrupt someone’s heartbeat, drug regime or the amount of insulin they receive. All of which are potentially fatal.
Some older medical devices have the added risk of ransomware attacks. As many of these devices rely on systems that no longer support security patches and updates – think Windows XP and Windows Server 2003 – they serve as targets for hackers looking for entry points into entire healthcare networks.
What’s more, the problem of legacy technology is set to continue. Why? Because the central issue is overstretched budgets. As R&D for medical devices becomes more costly, manufacturers shy away from investing in developing new devices. Likewise for healthcare delivery organizations, who can struggle to justify splashing out on something new if what they’re already using still works from a medical perspective.
The upshot is that older medical devices stay in circulation for longer while cyber security teams play a never-ending game of catch-up.
All these factors make it remarkable that healthcare firms are so reluctant to invest in cyber security to protect themselves and their customers. Indeed, just 4 to 7% of a typical healthcare provider’s IT budget is spent on cyber security according to the publishing group, SafetyDetectives. That’s compared to around 15% in other industries such as the finance sector.
This makes the healthcare sector vulnerable to cyber security own goals. And, of course, it means that cyber criminals view healthcare companies, including MDMs, as easy pickings, as they know manufacturers don’t take security and privacy issues seriously.
Growing dependency on medical devices is driving higher requirements for the availability and integrity of these devices and their associated services.
At the same time, increased amounts of data are also creating more complex confidentiality challenges. Both these factors make medical devices a prime target for ransomware attacks. But medical device companies are not taking this and other cyber security threats seriously.
MDMs need to rethink their approach and integrate cyber security testing into their existing development lifecycle. The best way to do this is to: