Cyber security flaws revealed in medical devices

20 September 2017

The medical devices market is growing fast, but concerns for cyber security are emerging, giving rise to increased regulatory scrutiny.

The healthcare sector is adopting a wide range of connected technologies used to monitor and treat patients in hospitals and in their homes. The global medical device cyber security market is expected to reach USD 28.9 billion by 2023, expanding at an annual growth rate of 35.59%.



Implanted cardiac devices, like pacemakers, drug dispensing pumps, through to a wide range of hospital monitoring equipment, connect to hospital networks or third parties via the internet. Security researchers have previously raised concern for the security of such devices, but recent events have seen these fears crystallise. 

Cyber Recalls

The past year has seen a number of medical device manufacturers issue warnings about the security of certain connected devices, including the recall of 745,000 pacemakers in August by Jude Medical, after security flaws left them vulnerable to hacking. The vulnerabilities, if exploited, could allow an unauthorised user to access a patient’s device and modify programming commands, controlling the pace-rate and/or power. 

The recall is thought to be the first for an implanted device due to cyber vulnerabilities. The US Food and Drug Administration (FDA) has approved an update to address the cyber security vulnerabilities and is advising affected patients to contact their physicians. 

A few weeks after the pacemaker vulnerabilities were revealed, the US Department of Homeland Security warned of security flaws in syringe pumps used in hospitals around the world. 

The warning came after a security researcher discovered eight separate flaws in a wireless pump made by Smiths Medical that could allow hackers to change the dosages being delivered to patients. In 2016, Johnson & Johnson warned patients of a security vulnerability in one of its insulin pumps. 

Attractive Target

According to the FDA, as medical devices become more connected there is a corresponding increase in the risk of cyber security. 

Like other computer systems, connected medical devices are vulnerable to cyber attack. A perceived lack of sufficient protections means that they are a tempting target for cyber. Older medical devices, developed at a time when cyber security was not a high priority for manufacturers, are thought to be particularly vulnerable. 

Vulnerabilities in devices like pacemakers raise obvious concerns for patient safety, but the issues pose a wider threat to healthcare companies. Devices are typically connected to hospital networks or third party platforms via the internet or cloud. This exposes hospitals and manufacturers to potential cyber attacks, including the theft of data or extortion. 

To make matters worse, the software used in medical devices is often closely guarded by vendors, posing a challenge for hospitals looking to protect against malware and ransomware. 

Regulatory Focus

Given the threat, cyber security is now a major focus for regulators. The FDA (which regulates medical devices in the US from a safety perspective) now expects manufacturers to build-in cyber security controls when designing a device, as well as address cyber security concerns once the device is on the market. 

The FDA does not test medical devices for cyber security before they go to market, but it has published guidance on both the pre-market and post-market management of medical device cyber security. The FDA is also now working with other bodies to develop a shared cyber security risk assessment framework. 

A bill recently put before Congress would further tighten medical device regulation in the US with regards to cyber security. The Medical Device Cybersecurity Act of 2017 would require medical device manufacturers to file a report card with the FDA that included a cyber security risk assessment and details of cyber security controls.

Download Cyber Decoder

For further information, please contact FLG@jltasia.com

video

Receive our monthly cyber risk newsletter

Subscribe