Why Medical Device Manufacturers Must Adopt Cybersecurity Practices

When it comes to cyber breaches involving medical technology, cybercriminals leave no stone unturned. Most notably, the medical device sector is under siege by ransomware, a type of malware that steals data and then issues a ransom to the owner for the release of said data. Protecting medical devices from this and other occurrences starts with medical device manufacturers. 

Countless medical devices are connected to the Internet of Things (IoT). Also, there’s a sector of the medical device industry that is relevant to today’s digital health care landscape: Software as a Medical Device (SaMD). The International Medical Device Regulators Forum (IMDRF) defines SaMD as “software intended to be used for one or more medical purposes that perform these purposes without being part of a hardware medical device.”

These and other technological advancements have positively shaped the delivery and impact of vital medical care. But, the digital evolution comes with an unspoken warning label: “Beware of hackers and unauthorized users who want to access and potentially abuse patient data.”

Allowing medical devices to access protected health information (PHI) raises significant concerns related to cybersecurity and data protection. The U.S. Food and Drug Administration (FDA), along with medical device manufacturers and health care delivery organizations, share the responsibility of identifying and mitigating such risks.

By definition, medical devices are equipment and apparatuses used in diagnosing, treating, and curing medical conditions. Pacemakers and insulin pumps that are connected to IoT, for instance, are vulnerable to being hacked. In the case of Medtronic, a global medical device company, certain insulin pumps were discovered to be susceptible to cybersecurity attacks, leading to FDA recalls.  

Why Do Hackers Want Patient Data?

There are countless motives for stealing PHI. In many cases, it’s lucrative. Selling the first photos of a royal’s newborn baby, for example, or leaking the medical records of a huge Hollywood star can have a huge price tag attached. In most cases, you may have third-party vendors and advertisers that want to build a list of marketing leads. Then there are the more nefarious reasonssuch as manipulating doses on insulin pumpswhich could lead to harm or death in patients.

According to The Verge, each hospital bed has an average of 10-15 medical devices that are connected to the internet. This statistic alone gives hackers all sorts of ways to plunder sensitive patient information. Unfortunately, the increase in connected technologies has created alarming challenges for hospitals, including an uptick in malware occurrences, according to Forbes.

No matter the reason, medical devices manufacturers have formidable cyber threats on their hands.

FDA Guidance to Improve Medical Device Security 

The FDA, which serves as co-chair of the International Medical Device Regulators Forum (IMDRF), also gives cybersecurity guidance to medical device manufacturers and other health care stakeholders. In a report titled “Principles and Practices for Medical Device Cybersecurity,” last updated in March 2020, IMDRF encourages the implementation of cybersecurity measures throughout the total product life cycle of a medical device. The guidance document also discourages the use of medical devices past their life cycles. Instead, health care providers and others are advised to upgrade or replace the technology.

Other helpful FDA resources include “Content of Premarket Submissions for Management of Cybersecurity in Medical Devices” and “Postmarket Management of Cybersecurity in Medical Devices.” 

Cybersecurity for medical devices, ultimately, is a collaborative effort that health care providers, patients, inventors, manufacturers, the FDA, and others must uphold.  

If you would like to learn about Pathway NPI’s proactive approach to mitigating potential cybersecurity risks for medical devices, contact us today.