There’s no doubt that the Internet of Things (IoT) provides critical security challenges for healthcare organizations that need to be addressed.
The Food and Drug Administration (FDA) recently released guidance on handling medical device vulnerabilities, closely following the release of its more general medical device cybersecurity guidance. As the IoT matures, IoT-connected devices are a growing security concern, and the FDA has increased its focus on medical IoT device security.
This once again brings too close to home the overriding message to vendors and consumers alike that no Internet-connected device is 100 percent secure. If it is connected to the Internet, it can be hacked. Of course, the risk and impact multiplies when the IoT product is a medical device.
Medical devices, and the systems they connect to, can seriously impact patient health. Thankfully, software patches are now addressing the vulnerabilities presenting the biggest risk and are combatting a number of threats.
The fact that traditional hackers are now moving beyond mere desktop computers to medical devices demonstrates how cybersecurity is hitting home in a very personal way, with the risk now extending to the care being delivered to our loved ones.
Medical device manufacturers need to manage any risks related to software vulnerabilities within their own code, as well as monitor and react on vulnerabilities of any third-party or open-source software components they might be using in their devices. They should also have a strategy in place to get updates out to healthcare organizations using their products.
A vulnerability is an error in software that can be exploited with security impact and gain. If hackers launch an attack against Internet-connected medical devices, it can cause enormous damage to the medical manufacturer and providers’ patients, either because the products are controlled by the hackers or because the user data is extracted and abused by those hackers.
Consequently, medical device manufacturers need to increase their focus on the security of the device itself, as well as the software that controls the device. This includes careful code testing, continuous maintenance, careful mapping of bundled software and verified intelligence about software vulnerabilities in that software—as well as ample resources to react promptly and effectively as soon as a vulnerability in the product is reported.
Healthcare organizations, additionally, must be aware of hacking risks and apply sufficient pressure on their vendors to stay current in defeating hacking threats.
One of the primary concerns associated with Internet-connected devices is the risk of hackers exploiting vulnerabilities and using applications on medical devices as a vector for viruses and malware. Today, more than ever, it is up to medical device manufacturers to be vigilant and mitigate the exposure associated with connected devices.
They can do so in five simple steps:
- For medical applications that sit at the operating-system level, adopt tamper-resistant technology to protect software applications from hackers.
- Protect embedded software on the medical device from reverse engineering and make changes at the machine level to strengthen protections.
- Ensure that the applications on medical devices and mobile-device management systems have an easy, automated mechanism for getting the latest security patches and updates out as fast as possible.
- Proactively monitor medical devices for application issues.
- Provide a reliable and secure ecosystem with clear traceability through the supply chain—from initial software delivery to subsequent firmware/software updates on the device—as well as the ability to proactively disable devices at mandated end-of-life or during product recalls.
Healthcare organizations can’t solely rely on medical device manufacturers’ efforts to protect their devices. Provider organizations must be sure they work hand-in-glove with manufacturers to ensure device protections are current and effective.
Recently, much attention has been paid to potential security threats facing smart, Internet-connected appliances, such as thermostats, TVs, wireless speaker systems, refrigerators, cars and more. As the news progresses from the advantages of the Internet of Things (IoT) to the associated risks of exposure, it is more important than ever to discuss how device manufacturers can embrace these products while keeping risks at bay, especially when it comes to medical devices.
By: Matthieu Baissac
Original posting: April 6, 2017 in HealthData Management