Recent media releases have highlighted the rising cyber security threat within the healthcare sector. This Summer, saw the NHS held hostage by malicious hackers and it is estimated that approximately 450,000 pacemaker patients alone require security patches to protect against device vulnerabilities that could be exploited to affect the devices performance and power supply. These are products from one manufacturer only and the focus of the cyber hackers seems to have shifted to this area as a new sector to be targeted - reports indicate that in the last three years there have been more attempts within the healthcare sector than the banking sector. Budget reports indicate that healthcare providers spend less than 6 percent of their IT budget on security – something that will need to change in the future to protect patients, patient data and to meet mandatory standards to achieve regulatory approval.
This problem is being reported by many of the large medical device manufacturers, including Johnson & Johnson and Abbott, across a wide range of different devices. More and more devices have wireless connectivity as it allows for remote monitoring by healthcare professionals and also the ability to adjust them once they have been implanted, however this is what gives the hacker the weakness they are looking for. These complex, niche devices have taken a long time to be developed and manufactured and ten or more years ago the possibility of such an attack was not really a reality, thus it was not protected against, nor were any threat detection systems put into place.
It is not only single devices that can be accessed this way, once one has been compromised it leaves the whole network open to exploitation and is a gateway through to attach entire hospitals/clinics, via access to the array of sensors and monitors the device interacts with. This can also lead to a breach of patient information which is being used during identity fraud but also to prescriptions being stolen and acquired pharmaceutical products being sold on the black market. Although, to date, there are no reports of individual patients being targeted the vulnerabilities have been discovered in pacemakers, infusion and insulin pumps – which poses a very real and present danger to patient’s lives, but interestingly devices such as CT Scanners. In order to get a grasp on the situation, phony devices were planted within hospital networks and monitored. It seems that these larger devices were targeted as an essential launch pad into the entire hospital networks and perhaps are being targeted whilst the industry focuses on surgical embedded devices.
The vulnerabilities, in the majority of cases, could be negated by simple patch updates to existing software applied at the hospital setting, but this is prohibited due to regulatory standards. Due to the role, they perform medical devices cannot be altered in anyway by anyone other than the manufacturer, or with their permission, as it may affect their functions. In the pacemaker example, discussed at the start of this blog – the patients were required to attend a dedicated surgery were the necessary software patch was added.
The regulatory bodies have become more involved in the prevention of cyber-attacks on medical devices and built in security in now a pre-requisite for new devices that could be vulnerable as part of the FDA approval process, which will protect devices and patients of the future. However, there remains an incomprehensible number of devices without the ability to ward off attacks. It is very easy to search for connected devices and several search engines exist purely for this function, the race is very much on to secure all hardware to protect patients.
More Blogs from Julie McEwan
Julie has written numerous interesting and well researched blogs on a wide range of topics related to Medical Devices and Human Factors. Please click here to read more of Julie's blogs and here to find out more about Julie.