Hacking of the Healthcare Industry
Medical devices are creating new vulnerabilities in the healthcare industry that put patient care and personal data at risk. In recent years, the healthcare industry has been hacked more frequently than the financial sector due to the lack of attention to cyber security risk.
Hackers take advantage of inadequate security on medical devices to not only control the device itself, but also as an entry point to access larger hospital networks. Once compromised, hackers can hold patient data or services ransom until a hospital pays the extortion fee. Given the life or death stakes of having access to all the necessary tools for patient care, this tends to be a fruitful target for hackers looking for a quick payment in exchange for handing back data.
In addition to holding data and services ransom, hackers can also access patient data to perpetrate identity theft for financial fraud, or to fill prescriptions and sell them on the dark web. Cyber security in the healthcare sector is an issue that needs to be addressed to ensure the safety of patients’ data and access to quality care.
Innovation at the Risk of Cyber Security
We previously wrote about the FDA’s partnership with major tech companies to create a fast-track program to regulate medical devices. The aim of this system is to allow the pace of innovation to keep up with the potential of the technology and demand of consumers. The potential to manage chronic illnesses, collect meaningful data to inform care, and facilitate real-time communication of health information will advance the quality of patient care, but will the pace of innovation out run the attention to cyber security risk?
In the U.S., each hospital bed contains 10 to 15 connected medical devices and each device represents a potential vulnerability to cyber security. These devices are easily discoverable, and while each device is not necessarily vulnerable, the sheer volume and accessibility makes finding an entry point an inevitability for hackers. The diversity of devices and the lack of attention to security checks both by the device manufacturers and the hospitals’ networks create a real security threat. Creating a fast-track to bring medical devices to market by pre-approving companies will exponentially increase risk, if a holistic attention to cyber security is not taken into proper consideration.
Clarity on Regulation
The FDA has been warning the healthcare industry for years about the vulnerability of medical devices to cyberattacks, but these warnings have largely been without consequences. It’s clear that the FDA will be advancing the expectations of cyber security in medical devices, but standardization and clarity is needed.
New legislation from two lawmakers aims to layout a framework to address these issues. U.S. Representatives Dave Trott and Susan Brooks introduced the Internet of Medical Things Resilience Partnership Act to collect and centralize all existing cyber security standards, guidelines, and best practices. The committee will identify gaps and problems, and define actionable solutions and a framework for the IoMT (Internet of Medical Things) developers as a reference. This collaborative approach to securing the already vulnerable landscape of technology in the healthcare industry is a much-needed protection, particularly with the impending expansion of medical devices.