A new report has found that despite playbooks for handling medical device security, the security threats remain high and will require a coordinated effort by government and industry to solve.
The report came from a collaboration between the eHealth Initiative & Foundation (eHI) and the Booz Allen Hamilton consulting firm. Called “Securing Connected Medical Devices,” the goal of the report is to better prepare industry leaders to deal with the changes that will be required to ensure medical device security.
The report also came with a warning, voiced in a joint press release from both companies: “The medical device ecosystem is at a critical moment where strong leadership across industry, government, and the public is needed to prepare for a secure connected future.”
The report illustrated the gravity of the situation by noting that sophisticated hackers could even change a diagnosis and treatment plan without detection if a medical device is not properly secured. Hackers could also potentially keep a device from working properly.
Where We Were
The report did not break new ground in offering information about the problems with medical device security. Not long ago, Wired called medical devices “the next security nightmare.” They noted that medical devices are connected to larger systems used by hospitals and other medical providers – meaning they could offer a way for hackers to enter and obtain information from those systems.
Even as the federal government and manufacturers work to create regulations and best practices for device use, the security challenges are not just related to the devices themselves. Security experts also warn that the apps used on medical devices will become targets for hackers.
A 2017 survey found that 1-in-4 patients say they already have had their information stolen by hackers. Half of them also said they would switch providers if they found out their data had been compromised. That offers a great illustration of both the privacy concern for patients and the business concern for medical providers.
Potential for Severe Disruption
While concerns have been around for some time, the new report sought to find solutions. But first, both companies offered a stark assessment of the potential issues in the current situation.
According to the press release, medical devices “represent significant innovations in patient care.” However, they also face dangers that were previously not in existence. The release and report note that medical devices connected either wirelessly or by wire are “easier to disrupt, and the potential disruption much more severe.”
Potential Solutions
The report calls for healthcare companies (and whatever cyber security company they hire) to take a threat-centric approach to medical devices. In other words, development and use of the devices should be planned with the idea that there will be attempts to hack it.
The report puts responsibility for system security with everyone involved: manufacturers, regulators, healthcare organizations, healthcare providers and the patients themselves. To ensure protection of security, the report calls for a collaborative effort between everyone involved.
It noted that multiple solutions are needed. For example, the security of supply chains is something a manufacturer must address. After sale of a device, the patient must be aware of best practices to maintain security or signs that there is a problem.
First Steps Taken
Developing the best practices and regulations around the use of medical devices is critical, but the industry is not there, yet. According to eHI, which assembled a roundtable of industry leaders as part of the report, the industry is not currently in a state to handle the security risks.
The Healthcare and Public Health Sector Coordinating Council (HSCC) has released a security plan that offers recommendations for how to ensure medical device security, but with the caveat that it will need to be updated. The report is seen as a first step.
The security plan “will be a living document and will be updated as required to adapt to the ever- changing threat environment for medical devices and health IT solutions.”
Also, the Medical Imaging & Technology Alliance (MITA) has published a medical device cybersecurity playbook that supports radiologists and is aligned with the playbook released by the Food and Drug Administration in 2018.
Although these plans have helped, “there is much more to do,” according to the eHI-Booz Allen report. They continued:
“To successfully combat cybersecurity threats, every stakeholder will need to take action in a manner different than today—with the agility to adapt their actions over time as the threats they face evolve.”