In today’s modern era of the internet, it is a given that as medical device technology continues to develop, so will the number of devices that rely on network connectivity. The biggest market for these devices is healthcare clinics and hospitals as they allow the ability to monitor an increased array of patient information faster and more consistently. The average hospital has 10 network-connected medical devices per bed, so if you do the math on how many connected devices there are at an average size hospital of 500 beds, you get a large IT-dependent network of devices for just one hospital alone.1 While a vast network of connected devices has its obvious benefits, it also brings increased cybersecurity risks and leaves hospitals more vulnerable to ransomware.
Ransomware is a type of software designed to block access to a computer system (or device) until a sum of money is paid, and hospitals are an easy victim due to the large amount of sensitive data transmitted over their networks. One study found that since 2016 there have been 172 individual attacks which affected 6.6 million patients. These attacks cripple hospitals and healthcare organizations because the ransomware prevents access to crucial patient data until a fee is paid to the hacker, with amounts varying from $1,600 to $14,000,000.2 Beyond the obvious financial impact ransomware can have on hospitals, it can also impact critical patient care, one study found that hospital time-to-electrocardiogram increased as much as 2.7 minutes following a breach.3 Additionally, the FDA had to issue a safety communication about Medtronic’s cardiac implantable cardioverter defibrillators (ICD’s) which had a potential cybersecurity vulnerability affecting communication between the device and clinic monitors.4
In response to the trending risk, the FDA has implemented a requirement in its Medical Device Safety Action Plan which calls on medical device manufacturers to put security updates and patch capabilities into network-connected devices at the design stage. It also outlines procedures for disclosing potential vulnerabilities in these devices after they’re on the market.5 It is becoming increasingly crucial that medical device developers include an analysis of cybersecurity threats when doing a risk assessment of their device. It is also recommended that anti-ransomware/cyberattack capabilities be designed as part of the device’s specs. If you are submitting one of these devices to the FDA, you can expect them to want to see how you are mitigating cybersecurity risks in detail.
EMMA International can help you complete a thorough risk assessment for your network-connected medical device, call us at 248-987-4497 or email info@emmainternational.com to learn more!
1Miliard (Feb 2016) Cybersecurity pro: Networked medical devices pose huge risks to patient safety retrieved on 02/16/2020 from: https://www.healthcareitnews.com/news/cybersecurity-pro-networked-medical-devices-pose-huge-risks-patient-safety
2Bischoff (Feb 2020) 172 ransomware attacks on US healthcare organizations since 2016 (costing over $157 million) retrieved on 02/16/2020 from: https://www.comparitech.com/blog/information-security/ransomware-attacks-hospitals-data/
3Choi, PhD (Sep 2019) Data breach remediation efforts and their implications for hospital quality retrieved on 02/16/2020 from: https://onlinelibrary.wiley.com/doi/full/10.1111/1475-6773.13203
4FDA (March 2019) Cybersecurity Vulnerabilities Affecting Medtronic Implantable Cardiac Devices, Programmers, and Home Monitors: FDA Safety Communication retrieved on 02/16/2020 from: https://www.fda.gov/medical-devices/safety-communications/cybersecurity-vulnerabilities-affecting-medtronic-implantable-cardiac-devices-programmers-and-home
5FDA (n.d.) Medical Device Safety Action Plan: Protecting Patients, Promoting Public Health retrieved on 02/16/2020 from: https://www.fda.gov/media/112497/download