Computer hackers are an unfortunate reality; a side effect of the ever-evolving technology landscape in the digital age. As wireless capabilities continue to grow, so do the risks associated with medical devices and cyber security becomes increasingly important.
There has not been a reported case of an adverse patient incident due to a medical device security issue; however, the potential clearly exists. Health systems are beginning to spend increased time and money addressing this issue.
The potential risks of networked medical devices include:
- Untested or defective software and firmware;
- Spyware and malware introduced into the device;
- Security and privacy vulnerabilities, such as:
- Inadequate security practices
- Failure to update security software
- Unsecured password protection
- Poorly configured internal networks
- Phishing attacks;
- Physical theft of medical devices; and
- Electromagnetic interference.
What are folks in the industry doing to get ahead of this issue? So far, there are a few different approaches.
- Medical device manufacturers are proactively addressing the security challenge; however, many are not looking at this issue retroactively. The hope is to provide safer and more secure medical devices to customers via the sale of new products, but there is next to nothing being done to protect what has already been purchased.
Some may begin to develop internal programs to assess the risks of a cyber security threat to their own products. Others have said the U.S. Food and Drug Administration (FDA) prevents them from making patches and/or modifications to software, for fear that it could impact use of the product that had previously been approved by the governing organization. The FDA’s recent guidance said that routine updates do not require device makers to notify the agency. The one exception is in an instance where system vulnerabilities could lead to a serious adverse health outcome or death. In this case, the manufacturer would be required to notify the FDA, which has the sole authority to approve medical devices for use in the United States.
2. The U.S. government issued a draft guidance through the FDA in January 2016, outlining important steps medical device manufacturers should take to continually address cyber security risks. While this is intended to better protect the public health of communities, there are still industry voices saying these guidelines are not specific enough, and should require additional tightening of security parameters. Additionally, there are expectations from within the healthcare technology space that other governmental departments should become more proactively involved in addressing security specific to medical devices.
3. The U.S. healthcare community is divided on this issue. Are healthcare leaders aware of the potential risks involved? While some are addressing this proactively, others are sitting back and waiting for the manufacturing community to address this. There are even groups that are aware of the potential exposure, but do not have the resources to adequately address this challenge.
Regardless of the approach taken, there is no doubt that technology advances can both help us and put us at risk. The question is, what can we do to address those risks before a true threat has occurred?
Learn more about Premier’s strategic approach to medical sourcing and preventing cyber security risks here.