Why are Cyber Attacks Against Medical Devices Surging?
Medical devices are a prime target for hackers right now. Here are the reasons why and what medical device companies can do to protect themselves and patients.
Medical device companies should up their game and view all strategic decisions through the lens of cyber security. Why? Because as medical devices become smarter and more connected, they open the door to more advanced and harder-to-solve cyber security threats.
These threats go beyond fraud and identity theft to endanger patient lives and public health by undermining the efficacy and safety of devices. They’re also bad news for medical device manufacturers (MDMs), harming both their finances and reputation.
Here’s what you need to know about where cyber security threats to medical devices are coming from. And what you can do about them. This includes the latest trends in medical sensors and wireless, regulatory compliance, remote patient monitoring, wearables, aging, AI and ML-enabled devices and legacy technology.
How big is the cyber security threat to medical devices?
Data breaches, including ransomware attacks, top the list of cyber security threats for the healthcare sector. These breaches are becoming more frequent. The sums of money involved are skyrocketing too, ranging from inflated ransom demands, damages, fines and legal fees to downtime and restoration costs. To put this in context:
- Between 2015 and 2019, the healthcare sector accounted for 1,587 data breaches – that’s a whopping 76.5% of all data breaches – according to nonprofit consumer organization Privacy Rights Clearinghouse.
- At $7.13 million, in 2020, healthcare also beat the energy, financial, pharma and technology sectors to top the table for the average cost of data breaches The global average for the same period was $3.86 million.
- Between 2018 and 2019, there were six headline-grabbing security breaches featuring MDMs. Each incident cost the company involved anything from $1.8 million to over $1 billion in damages, fines, legal fees, breaches of contract and more. That’s huge!
This bleak picture of cyber security is driven by several interconnected risks, many of which are unique to medical devices and their manufacturers. Here’s how.
Sensor-driven tech and wireless
Rapid developments in processing power, device miniaturization, sensors and wireless connectivity are ushering in a new era of smart connected health devices.
Creating a rich supply of sensitive patient data, these next-generation medical devices are allowing healthcare providers to deliver faster diagnoses and better treatments. They’re also shifting health care beyond the hospital and doctor’s office into the home.
The challenge is that the same technologies and features that improve healthcare outcomes for patients also make these devices more vulnerable to security breaches. This can affect the safety and effectiveness of devices and put patients’ health, safety and privacy at risk.
Medical devices and regulation
These threats and vulnerabilities cannot be completely eradicated. But the likes of the U.S. Food and Drug Administration (FDA) and the European Medicines Agency place most of the responsibility for mitigating the cyber security risks of medical devices at the door of manufacturers.
Indeed, the FDA makes it clear that MDMs need to manage cyber security risks throughout the entire lifecycle of their products. This includes monitoring, identifying, and addressing cyber security vulnerabilities once medical devices are on the market. It also covers any software upgrades or changes.
As medical devices become more sophisticated, it’s also becoming trickier for manufacturers to meet European GDPR and US HIPAA regulations, which address how patient data is protected, used and shared.
Top of the list of concerns for MDMs are:
- The sheer volume of sensitive electronic private health information (ePHI) that the latest medical devices can create, receive, maintain and send.
- The complex connectivity involved, embracing everything from the cloud – for real-time data transfer and processing – to a mash-up of professional and personal devices and smartphone apps.
Remote patient monitoring
Remote patient monitoring (RPM) technology extends the reach of medical professionals by providing a continuous stream of real-time information that allows a constant relationship with patients.
Typical RPM devices include continuous glucose monitors that remind diabetes patients to take their insulin while allowing their doctor to track their condition. Other popular choices include remote digital blood monitors that let patients send healthcare professionals their blood pressure, heart rate, blood oxygen and blood sugar levels.
With their potential to extend life and reduce healthcare costs, there’s a lot to like about RPM technologies and devices. This includes their home-care capabilities and patient-centric approaches to treatments such as chronic pain relief. Hence, it’s predicted that over a quarter (26.2%) of Americans, that’s 70.6 million patients, will be using RPM tools by 2026.
The potential downside of RPM devices is the vast quantities of ePHI that they and their associated ecosystems collect, store and transmit, which opens the door to cyber security vulnerabilities.
In March, for example, an unauthorized individual accessed the protected health data of myNurse, a healthcare startup providing chronic care management and remote patient monitoring services, thereby exposing patients’ demographic, health, and financial information. Since when the California-based company has temporarily shut up shop, a decision it says, “is unrelated to the data security incident.”
Like RPMs, wearables containing software and software as a medical device (SaMD) can be a tempting target for hackers looking to steal personal data, disrupt networks and corrupt communications.
Women’s mobile health apps focused on areas such as fertility and pregnancy should practice increased privacy and security rather than the reverse. So, it’s also worth noting that all these apps allowed behavioral tracking and 14 (61%) allowed location tracking.
Home-care medical devices, including wearables, robotics and remote patient monitoring devices are a good fit for increased life expectancy and our growing preference for aging at home.
Intelligent drug dispensers, for example, can help maintain a consistent medication regime. Wearable devices can monitor a variety of health metrics and also detect falls and send alerts.
These devices give older people more freedoms and independence. They also raise the stakes for MDMs around cyber security. Here’s how.
- Today, around 85% of older people have a chronic health condition and 50-60% have at least two.
- A recent upsurge in sales of medical devices to older people has created more data and more types of data. This has handed cyber criminals an increased attack surface.
- More devices also mean more older people are now entrusting MDMs to implement cyber security measures that keep their ePHI and personally identifiable information safe.
- These older people are also relying on manufacturers to guarantee their ongoing care through the availability of their medical devices, systems and applications 24/7, 365 days a year.
- What’s more, they’re depending on MDMs to maintain the integrity of these devices, systems and applications to prevent malicious attacks that could result in them receiving the wrong care, which could be fatal.
AI and ML-enabled medical devices
Artificial intelligence (AI) and machine learning (ML) technologies have the potential to enable medical devices to learn from and act on the real-world data they collect. This includes a capability for devices to improve their own performance and evolve.
- Imagine a smart sensor device that gets better at estimating the probability of you having a heart attack. Or, how about a wearable that infers the onset of disease by finding patterns in your health data?
As these changes can happen fast in response to new data, and in ways that are difficult to foresee, AI and ML-enabled devices are also an ethical and cyber security minefield.
First, AI and ML need data, which raises the problems of how to manage user consent and the mountains of ePHI involved. Second, cyber security measures need to prevent attacks that lead to inaccurate, even potentially harmful, recommendations for treatment.
As such, the FDA is currently considering how to adapt its review process for AI and ML-enabled medical devices to embrace and regulate their iterative improvement ability while assuring patient safety across the total product lifecycle.
Not all cyber security challenges are about shiny new technologies and products. Many medical devices today use outdated or insecure software, hardware and protocols that make them more vulnerable to cyber security compromises. Indeed, legacy technology is the norm.
These critical devices include pacemakers, drug infusion pumps and insulin pumps. In theory, cyber criminals can reprogram these devices to say, disrupt someone’s heartbeat, drug regime or the amount of insulin they receive. All of which are potentially fatal.
Some older medical devices have the added risk of ransomware attacks. As many of these devices rely on systems that no longer support security patches and updates – think Windows XP and Windows Server 2003 – they serve as targets for hackers looking for entry points into entire healthcare networks.
What’s more, the problem of legacy technology is set to continue. Why? Because the central issue is overstretched budgets. As R&D for medical devices becomes more costly, manufacturers shy away from investing in developing new devices. Likewise for healthcare delivery organizations, who can struggle to justify splashing out on something new if what they’re already using still works from a medical perspective.
The upshot is that older medical devices stay in circulation for longer while cyber security teams play a never-ending game of catch-up.
Healthcare companies don’t like paying for cyber security
All these factors make it remarkable that healthcare firms are so reluctant to invest in cyber security to protect themselves and their customers. Indeed, just 4 to 7% of a typical healthcare provider’s IT budget is spent on cyber security according to the publishing group, SafetyDetectives. That’s compared to around 15% in other industries such as the finance sector.
This makes the healthcare sector vulnerable to cyber security own goals. And, of course, it means that cyber criminals view healthcare companies, including MDMs, as easy pickings, as they know manufacturers don’t take security and privacy issues seriously.
Growing dependency on medical devices is driving higher requirements for the availability and integrity of these devices and their associated services.
At the same time, increased amounts of data are also creating more complex confidentiality challenges. Both these factors make medical devices a prime target for ransomware attacks. But medical device companies are not taking this and other cyber security threats seriously.
MDMs need to rethink their approach and integrate cyber security testing into their existing development lifecycle. The best way to do this is to:
- Assess key risks and develop a holistic plan addressing people, processes and technology.
- Integrate a risk-based approach into existing development environments and processes.
- Ensure ongoing maintenance of integrated frameworks.