New reports warn that, following a spate of localized cyberattacks against health care facilities, federal officials and health systems are concerned that the next cyberattack target will be medical devices, including those in hospital rooms, at imaging centers and even inside patients' homes.
"Hackers have especially targeted health systems for their valuable troves of patient data and in some cases have temporarily knocked systems offline, disrupting patient care," Axios reported about the matter.
"But there are also a range of medical devices – such as MRIs, ventilators and pacemakers – that are potential targets, particularly when it comes to aging devices with outdated software."
Though the cyberattack threat to medical devices is still largely theoretical, experts like Toby Gouker, an executive at privacy and security firm First Health Advisory, believe that it is only a matter of time before hackers figure out a way to break them virtually.
"It's a real Achilles' heel and a blind spot for health systems," Gouker is quoted as saying. "What makes more money in a hospital than anything else? If you bring an MRI down, you can take a lot of health systems to their knees."
(Related: Some people believe that communist China is planning a cyberattack to take down America.)
Government watchdog calls on FDA to expand cybersecurity of medical devices
The U.S. Government Accountability Office (GAO) is calling on the U.S. Food and Drug Administration (FDA), which oversees medical devices, to work more closely with the Cybersecurity and Infrastructure Security Agency to coordinate cybersecurity and medical devices in advance of a potential attack.
Both agencies have responded to the GAO's call positively, stating that they, too, believe more needs to be done to protect medical devices from hacking attempts.
The GAO produced a report that says the vulnerabilities inherent to medical devices "still pose risks to hospital networks – and patients."
As of last March, a new law requires all medical device manufacturers to submit plans for how to address any cybersecurity vulnerabilities inherent to their products. That law does not, it is important to note, affect any connected devices that are already on the market.
"Everything from your hospital bed to your infusion pump next to the bed, to the monitor next to the bed that's measuring, monitoring your vitals, they're all connected," said Chelsea Arnone, director of federal affairs for the College of Healthcare Information Management Executives.
"Everything is online ... so they're all ostensibly hackable."
Because many medical devices incorporate off-the-shelf software that, like all other software, is vulnerable to threats like viruses and "worms," it is important that medical device manufacturers pay mind to this threat early on to avoid potential hacking problems later on down the road.
Up until the new law took shape and was signed into law, most medical device manufacturers offered little to no support in providing patches or other cybersecurity solutions to their customers, especially for older medical devices that no longer hold "blockbuster" status.
The name of the game for the medical device industry, just like with the pharmaceutical industry, is profits. And providing constant software support for older products means fewer profits, hence the need for legislation to force these companies to do the right thing.
One recent incident that illustrates the problem occurred in Russia after a hacker found a backdoor into a hospital's medical device. The hospital was unable to take the product offline in order to isolate the problem, and when its employees contacted the company for assistance, they were told there is no fix.
"It's just old school," Arnone said about the incident. "You're calling someone on the phone and waiting and trying to get the right person who can help you. It's like the worst kind of customer support."
More related news coverage can be found at CyberWar.news.
Sources for this article include:
Please contact us for more information.
