By Stuart Long
There’s no doubt that remote cardiac monitoring is saving lives. Yet the security of remote cardiac devices—which rely on wireless communications and web connectivity—has caused concern among health officials, clinicians, and patients.
Experts agree that it may never be possible to guarantee the total security of medical devices. After all, the only way to significantly reduce hacking risk would be to eliminate wireless communications and remote software updates—both technologies that benefit patients tremendously.
That’s not to say that all hope is lost, however. New technologies, improved consumer awareness, patient education, and precautionary steps can significantly reduce the risk of hackers accessing remote monitors and obtaining patients’ personal identifying information. What’s key is industry collaboration. All stakeholders—healthcare organizations, device manufacturers, security experts, and medical professionals—must be committed to patient safety and security.
Assessing the Threat
In a study published in the Journal of the American College of Cardiology, physicians said that while medical devices have been hacking targets for more than 10 years, the increasing number of devices relying on software and wireless communications has led to more ways hacking can take place.
It’s well known that hackers can do a number on medical devices—potentially causing them to malfunction, disrupting the transmission of patient medical data, or prematurely draining the batteries. The biggest risk to patients is if hackers intercept and modify data being transmitted to or from the device. If that interception is not detected, the hacker’s actions could potentially interfere with the patient’s care.
Moreover, 45 million medical device recalls took place in 2018 due to software and security issues. And a recent alert from the FDA warned that some cardiac implants could be hacked from as far as 20 feet away. Fortunately, so far there is no evidence any cardiac devices have ever been hacked.
Still, the concern over customer data has been a black cloud hanging over this growing industry. According to industry analysts, the connected medical device market is predicted to grow to $63 billion by 2024. That growth is due to increasingly more healthcare providers using remote data collection because of the many benefits it has provided patients; however, the security of that data has not kept up. Any lack of confidence in the device security could severely damage the industry and device manufacturers in the future.
Steps for Security
There are several layers of device security. For starters, healthcare organizations should have secure information technology systems. On the network level, security measures must prevent data becoming corrupted. And at the application layer—including web, mobile, or cloud-based applications connected to the device—security must be addressed during the design, development, and testing phases.
Security steps should include:
- Building security into Internet of things (IoT) applications and devices during the design phase
- Preventing unauthorized users from gaining access
- Limiting data collection to information required for the device to operate as intended and keeping data only for the shortest amount of time necessary
- Designing products to ship with unique credentials or requiring users to set new credentials the first time they use the device
- Monitoring the health of devices and providing patches as soon as vulnerabilities are identified
Devices also need to meet HIPAA requirements by encrypting data transmitted and/or stored on servers. Moreover, last year, the U.S. Department of Health and Human Services recommended that device makers and the FDA conduct pre-submission meetings to better address questions regarding networked-device cybersecurity.
In response, the FDA asked manufacturers to provide:
- Hazard analysis listing the cybersecurity risks considered and the cybersecurity controls incorporated into the device
- Traceability matrix linking the actual cybersecurity controls to the risks that were considered
- Plans for validating and updating device software
- Description of controls in the software supply chain
Further, in July, the National Institute for Standards and Technology, part of the U.S. Department of Commerce, issued a draft guideline of cybersecurity features that manufacturers can voluntarily adopt for IoT devices, which is also relevant to medical devices.
Measures for Patients
Stakeholders in the cardiac device sector also need to relay to patients the importance of cybersecurity. One major point to drive home? Only use home monitors and implantable devices that were obtained directly from the manufacturer.
Patients, too, can be encouraged to protect themselves by:
- Always changing default passwords when setting up a device
- Taking advantage of the latest software upgrades and other device improvements.
These precautions will ensure the device has not been tampered with and is updated with the latest security software.
To sum it up, cyber threats can never be eliminated. But by taking the aforementioned steps and educating the public about the importance of device cybersecurity, the likelihood of an adverse event can decline.
Stuart Long is the CEO of InfoBionic. Questions and comments can be directed to 24×7 Magazine chief editor Keri Forsythe-Stephens at firstname.lastname@example.org.