The rise of modern technology has undeniably made our lives easier, and who better to make use of this ease and better quality of life than patients who have medical conditions?
Over the years, the healthcare industry has been more and more dependent on medical devices, which allows healthcare providers to easily administer treatment to patients and help them lead normal and healthy lives.
However, medical technology also poses the risk of cybersecurity threats because it can be hacked.
In the first half of 2019, 32 million patient breaches were recorded, and 60 percent of these were caused by hacking.
What could these cybersecurity vulnerabilities mean for the healthcare industry, and just how much do these security concerns put patients at risk?
What Is an Implantable Medical Device?
An implantable medical device (IMD) is a man-made implant placed inside the body during a surgical procedure and is intended to stay there after the surgery to support or enhance biological functions.
An increasing number of electronic devices being implanted into patients include some wireless connectivity, which allows these devices to communicate with hospital systems and health care professionals who need to remotely gather data on their patient’s conditions to monitor their progress.
However, because of their proximity to modern computers, they are also exposed to security flaws which are a characteristic of mainstream technology. As a result, implantable medical devices can also pose security hazards that can cause serious if not fatal consequences to patients.
Which IMDs Have Been Recalled Due to Cybersecurity Concerns?
Implantable devices such as pacemakers and insulin pumps have been popular targets of medical device hackers.
But what’s ironic is that these vulnerabilities came to the surface not because of FDA researchers, but because of hackers themselves.
The first warning came from a hacker named Jay Radcliffe, who also happened to be a diabetic and also has his own implantable insulin pump. At a conference in 2011, he demonstrated that taking control over and hacking an insulin pump wasn’t difficult at all. In fact, altering doses is also possible with hacking, as well as the risk of sending lethal doses of insulin to a patient.
A year later, another hacker revealed that pacemakers were also vulnerable to hacking, as it is possible to send lethal electric shocks to patients through the devices.
Needless to say, these vulnerabilities quickly got the FDA’s attention — the agency that regulates medical devices and issues recalls for faulty devices that have caused serious injuries and worse, even death to patients.
In 2013, as a response to these hackers’ revelations, the regulating agency has issued its first cybersecurity guidance followed by other advisories in light of the growing concerns over the vulnerabilities of implantable medical devices.
However, other devices that contained these security concerns still made it to the market. Therefore, several warnings and recalls had to be issued by the FDA.
Some of the medical devices that were caught up in cybersecurity concerns include:
Hospira Infusion Pumps
In 2015, the FDA advised hospitals not to use Hospira Inc.’s Symbiq Infusion System, a family of medical devices that are used to administer medication into a patient’s bloodstream.
It was the first time that the agency issued a warning urging to discontinue the use of a device due to cybersecurity issues. The FDA said that a security vulnerability could allow hackers to take control of the system and change the dosage that the pump delivers, ultimately causing potential harm to patients.
St. Jude Medical Pacemakers
In 2017, the FDA recalled 465,000 St. Jude pacemakers because they were found to be vulnerable to hacking and other cybersecurity threats.
According to authorities, hackers could put patients’ lives at risk by draining the batteries of forcing the heart devices to run at potentially deadly speeds.
Patients were advised to go to hospitals and clinics to update their firmware. This FDA-approved security update has since then reduced the risks of unauthorized access for the implantable cardiac pacemakers.
Smiths Medical Syringe Infusion Pumps
In 2017, Smiths Medical’s Medfusion 4000 wireless syringe infusion pump products were the subjects of an advisory from the Industrial Control Systems Cyber Emergency Response Team (ICS-CERT).
The devices in question are used to deliver fluids such as medications, nutrients, and insulin, among others, into a patient’s body in a controlled manner.
According to ICS-CERT, they were able to recognize a total of eight cybersecurity vulnerabilities in the devices, which would require an attacker with a high skill to successfully exploit.
The security concern could allow the attacker to obtain unauthorized access to the device and affect the pump’s intended operation, and the administration of fatal overdoses is a possibility.
Medtronic Heart Rate Monitors
In 2019, the FDA issued a safety communication alert to warn healthcare providers and patients about the cybersecurity vulnerabilities of Medtronic’s implantable cardioverter-defibrillator (ICD) devices.
Also known as heart rate monitors, these devices are surgically implanted in the chests of patients and are used to treat abnormal heart conditions.
Medtronic Insulin Pumps
In the same year, Medtronic recalled two of its MiniMed insulin pump devices due to the risk of being wirelessly interfered with by hackers.
This means that hackers could potentially change the pump’s settings and if they come with malicious intent, they could make the pump deliver excess amounts of insulin, potentially causing dangerously low blood sugar levels.
Fortunately, no patient that has used the pump was harmed by the said issue.
Improving Cybersecurity Risks in Health Care
According to Becker’s Hospital Review, data breaches cost the health care sector around $5.6 billion every year.
With this significant financial impact, it is only right to take steps in strengthening cyber defenses such as updating and upgrading operating systems and implementing security patches to help prevent data breaches in the health industry and health informatics.
According to a 2018 health information cybersecurity survey, 84% of hospitals and health care systems devoted a growing proportion of their resources to prevent cyberattacks during the year.
The same survey found that more than 83% had implemented new or improved security measures, and 65% replaced or upgraded IT software and other related devices.
In the same year, the FDA released a detailed new medical device safety plan that included a proposal to create a CyberMed Safety (Expert) Analysis Board, a public-private partnership to assess vulnerabilities and patient risks.
The proposals came as healthcare organizations are urging device manufacturers to support the protection of the security of medical devices. The plan is built on the idea of reducing vulnerabilities throughout a device’s life cycle.
It is also important to note that other health care professionals may also play an important role in ensuring that medical groups remain secure.
But perhaps the biggest responsibility is on medical device manufacturers, and they can improve cybersecurity by constantly updating themselves with cybersecurity training and education, which would help establish a culture of security within the organization.
The goal is to emphasize that every member of the group is responsible for protecting not only patient data but also their safety.