Will Innovation Drive Cyber Attacks in Healthcare

by | Oct 20, 2017 | Medical Devices

Hacking of the Healthcare Industry

Medical devices are creating new vulnerabilities in the healthcare industry that put patient care and personal data at risk. In recent years, the healthcare industry has been hacked more frequently than the financial sector due to the lack of attention to cyber security risk.

Hackers take advantage of inadequate security on medical devices to not only control the device itself, but also as an entry point to access larger hospital networks. Once compromised, hackers can hold patient data or services ransom until a hospital pays the extortion fee. Given the life or death stakes of having access to all the necessary tools for patient care, this tends to be a fruitful target for hackers looking for a quick payment in exchange for handing back data.

In addition to holding data and services ransom, hackers can also access patient data to perpetrate identity theft for financial fraud, or to fill prescriptions and sell them on the dark web. Cyber security in the healthcare sector is an issue that needs to be addressed to ensure the safety of patients’ data and access to quality care.

Innovation at the Risk of Cyber Security

We previously wrote about the FDA’s partnership with major tech companies to create a fast-track program to regulate medical devices. The aim of this system is to allow the pace of innovation to keep up with the potential of the technology and demand of consumers. The potential to manage chronic illnesses, collect meaningful data to inform care, and facilitate real-time communication of health information will advance the quality of patient care, but will the pace of innovation out run the attention to cyber security risk?

In the U.S., each hospital bed contains 10 to 15 connected medical devices and each device represents a potential vulnerability to cyber security. These devices are easily discoverable, and while each device is not necessarily vulnerable, the sheer volume and accessibility makes finding an entry point an inevitability for hackers. The diversity of devices and the lack of attention to security checks both by the device manufacturers and the hospitals’ networks create a real security threat. Creating a fast-track to bring medical devices to market by pre-approving companies will exponentially increase risk, if a holistic attention to cyber security is not taken into proper consideration.

Clarity on Regulation

The FDA has been warning the healthcare industry for years about the vulnerability of medical devices to cyberattacks, but these warnings have largely been without consequences. It’s clear that the FDA will be advancing the expectations of cyber security in medical devices, but standardization and clarity is needed.

New legislation from two lawmakers aims to layout a framework to address these issues. U.S. Representatives Dave Trott and Susan Brooks introduced the Internet of Medical Things Resilience Partnership Act to collect and centralize all existing cyber security standards, guidelines, and best practices. The committee will identify gaps and problems, and define actionable solutions and a framework for the IoMT (Internet of Medical Things) developers as a reference. This collaborative approach to securing the already vulnerable landscape of technology in the healthcare industry is a much-needed protection, particularly with the impending expansion of medical devices.

Emma International

Emma International

More Resources

De Novo Classification

De Novo Classification

A device can be registered for the De Novo pathway if there is evidence of the safety and effectiveness of the device and there is not a previously legally marketed predicate device1. When determining if your device can go through the De Novo process there are two pathways available to determine the device classification.
Abbreviated 510k submission

Abbreviated 510k submission

There are three types of 510K, Premarket Notifications, which can be submitted to the Food and Drug Administration (FDA) traditional, abbreviated, and special. Abbreviated and Special 510K submissions can be utilized when the submissions meet the certain factors presented by the FDA. When submitting an abbreviated 510K the submission must include the elements that are identified in 21CFR 807.87 for the information required in a premarket notification submission.
Is your product a medical device?

Is your product a medical device?

Many marketed products are classified as medical devices and you would not even know it. Medical devices range from latex gloves and tongue depressors to respirators and heart valves. To determine if the product is considered a medical device by the Food and Drug Administration (FDA) you will need to analyze if your product meets the definition of a medical device per the Food, Drug, and Cosmetic Act1.

Ready to learn more about working with us?

Pin It on Pinterest

Share This