Securing Devices and Protecting Patients

In late 2015 the Food & Drug Administration (FDA) advised hospitals to stop using an insulin infusion pump made by Hospira due to a proven vulnerability whereby a hacker could gain access and remotely control the machines. Innovative medical devices like these have helped healthcare providers monitor their patients more closely and offer cutting-edge, life-saving care. As the Hospira example shows, however, such advanced devices are also frighteningly vulnerable to cyberattacks that could jeopardize patient safety. It’s not an isolated incident, either. A recent two-year study found that 100 percent of investigated hospitals had cybersecurity vulnerabilities that could result in patient harm. While privacy and data security have long been a concern for hospitals, much more attention needs to be paid to the glaring cyber vulnerabilities inherent in the devices that physically interface with patients. This needs to happen at the care provider, manufacturer, and regulatory levels.

But what is the specific problem? Modern hospitals use thousands of different devices that typically connect to a wireless network so that doctors and nurses can monitor patients from work stations or so that certain types of care can be provided remotely. These devices are designed and manufactured with their specific function in mind and usually do not have adequate security measures built in. For instance, a hacker could remotely access an x-ray machine and manipulate its rudimentary and outdated software to instruct it to deliver a lethal dose of radiation. The same could be done for remotely-controlled insulin pumps, monitoring devices relaying crucial patient data, or life support machines.

Enhancing the cybersecurity of medical devices can begin with manufacturers. Instead of each hospital that uses a particular device spending thousands of dollars to jury-rig an element of security into each machine, a manufacturer can spend only marginally more to implement security features into the whole line of products before they come off the production line. Beyond this, manufacturers would do well to update their devices post-production with recent operating software and offer customers regular updates and security patches. Manufacturers also ought to provide hospitals detailed maps of the ports and protocols their devices use to allow a facility’s security personnel to build more precise security protocols for their networks.

At the regulatory level, the FDA already has precedent and enforcement tools to compel device manufacturers to ensure a high safety standard for their products. At present, the FDA requires manufacturers report incidents wherein their devices contributed to death or injury, and to establish and follow quality systems to ensure compliance with various manufacturing standards. As cybersecurity now very plainly contributes to the continued safety and functionality of computerized devices, regulations ought to be updated so that quality systems includes cybersecurity best practices, and so that manufacturers can be held liable if vulnerabilities in their devices contributed to the death or injury of a patient.

Lastly, hospitals themselves can play a role in securing their networks and the devices they use. Where devices can be wired and isolated from a wireless network, they should be wired and isolated from a wireless network. Barring such steps, hospitals can implement tight access controls to critical systems, at the very least, including multifactor authentication. Facilities can also segment their networks – utilizing one wireless network for general use and another separate network specifically for devices. Where devices cannot be secured, protocols such as Host Identity Protocol can mask them so that they cannot be easily discovered. Finally, hospital administrators ought to be proactive in working to add their own elements of security to the devices they currently use while leveraging their relationship with manufacturers to ensure the next generation of medical devices is designed with due consideration of cybersecurity. The safety of patients depends on it.