Your healthcare organization most likely uses hundreds of medical devices every day to care for your patients. Medical devices give your team the tools required to provide the best care possible. The FDA outlines in the Medical Device Safety Plan how they oversee more than 190,000 different devices manufactured by more than 18,000 firms in more than 21,000 medical device facilities worldwide.
Organizations like the FDA and device manufacturers do everything possible to ensure that all devices used in daily healthcare operations are as safe as possible. However, sometimes, medical device security can slip through the cracks.
Based in Richardson, Texas, Emeritus specializes in medical device risk management, providing comprehensive services tailored to the specific needs of healthcare professionals in the Dallas area. Let’s explore the importance of healthcare cybersecurity for hospitals and healthcare facilities.
Cybersecurity Risks for Medical Devices
According to an article by the Association of American Colleges, cybersecurity risks for medical device management systems are no new issues. In 2011, a hacker named Jay Radcliffe, who had diabetes, was curious to see if he could hack his own implanted insulin pump. Not only was he successfully taking control of the pump easily, but he even discovered that he could deliver a lethal dose through the device if he chose to do so.
In 2017, for the very first time, the FDA recalled an implantable pacemaker because of concerns that it could easily be hacked. Also, in October 2018, after hackers demonstrated they could remotely manipulate another widely used pacemaker. As a result, the manufacturer temporarily shut down part of its vast Internet networking system to secure the popular devices.
These are just some examples of patient-used devices that can be hacked. Simply put, any medical device that connects to the internet has the potential to be vulnerable to cyberthreats.
Cybersecurity in Healthcare
The list of internet-connected devices is lengthy in a hospital or healthcare facility setting. In our modern era, doctors, pharmacies, nurses, and administrators use a broad online network to collect patient data, monitor patient health, and provide treatments in a healthcare setting and at home. Therefore, all of these links and connections are continually at risk.
As such, healthcare facilities must protect the many devices they rely on to provide the best care possible. The first step to securing your medical devices starts with understanding the risks involved.
The Basics of Medical Device Risk Management
According to ISO 14971, there are global guidelines for medical device manufacturers and all medical device developers. They must have a documented process for risk management before a device is introduced to the public.
These measures include the following:
- identifying the risks associated with a medical device
- estimating and evaluating the associated risks with a medical device
- controlling the associated risks
- monitoring the effectiveness of the implemented risk controls
Virtually all medical device manufacturers that the FDA oversees do a solid job of orchestrating and implementing strong medical device risk management, but it is not failproof.
Hackers and bad actors constantly find new ways to access a network system or an individual medical device. Additionally, while a device may be tested for current cybersecurity threats before it’s put on the market, there can be new routes to hack any device in the weeks, months, and years to come.
In short, a healthcare organization should never rely on manufacturers alone to protect their healthcare cybersecurity regarding medical device risk management. Instead, healthcare organizations should have their own second line of defense to protect their data, operations, and patients once various medical devices are used.
Medical Devices that Hackers Can Target
As stated, there are thousands of devices that hackers can use to gain access to a broad spectrum of valuable healthcare data. Furthermore, there are a few devices that are common targets.
Pacemakers and Heart Rate Monitors
As noted in the 2017 and 2018 examples, pacemakers are commonly targeted because they can be easy to hack. According to a 2021 statement from the DHS, “an attacker with adjacent short-range access to an affected product, in situations where the product’s radio is turned on, can inject, replay, modify, and/or intercept data within the telemetry communication.”
MRI Devices
MRI devices are at a high risk of cyberattacks, because they tend to be deeply connected to hospital networks, constantly exchanging images and other data. In fact, in 2018, a group called Orangeworm hacked into X-ray and MRI machines in three distinct continents – North America, Europe, and Asia. These cybercriminals found that they could sabotage the MRIs, as well as the broader healthcare system, from the inside out.
Wearable Health Devices
Wearable health devices are on the rise, which means that potential cyberattacks on these devices are also on the rise. Since wearable health devices contain a wealth of information, they can be used for ransomware, information harvesting, and blackmail, among other common hacker goals.
Insulin Pumps, Hearing Aids, and Other Devices
Any device that connects to an app or an online portal can be at risk, and the most used devices are also the most common targets.
The Importance of Medical Device Risk Management in a Healthcare Facility Setting
A hacked device can lead to a hacked hospital network, which in turn, leads to huge consequences. For example, in 2020, a ransomware attack on Universal Health Services, a major U.S. hospital chain, resulted in the complete shutdown of its computer networks. As a result of the hack, the organization’s 400 healthcare facilities had to use pen and paper for record keeping — including medication dosing, treatment plans, and patient data— until the system was eventually recovered.
How Can You Protect Your Medical Devices? Don’t Do it Alone!
As countless examples have shown over a decade, healthcare organizations should not rely on manufacturers and the FDA to do the heavy lifting when it comes to medical device security.
Therefore, being able to constantly monitor all of your medical devices on a regular basis for potential threats seems like a daunting task, but you don’t have to do it alone.
Even the largest hospitals and healthcare organizations likely don’t have the internal resources to constantly scrutinize every device for cyberthreats 24/7, which is why an experienced partner like Emeritus is essential.
Medical Device Risk Management and Safety with Emeritus
Our team of experienced clinical engineers and technicians in Richardson, Texas, stay by your side. You can rest assured that all of your medical devices have been properly audited and reviewed for cybersecurity threats. Also, we ensure that they will remain protected for their entire lifespan.
Reach out to us today to start a medical device risk management assessment and plan that can be easily implemented without interrupting the valuable services your facility provides every day.
We’re standing by to help you create a medical device management system that will protect your data, patients, and organization for years to come.