“It's not just a kid in their basement causing trouble. These are actually financially motivated intruders who are going after the low-hanging fruit. Healthcare happens to be fairly low-hanging fruit when it comes to cybersecurity,” Fu said at the Food & Drug Law Institute annual conference.
He added that medical devices cannot properly perform critical clinical functions once infected by ransomware. “If the device is not available to deliver patient care, that seems like a safety issue. Let's say there's a potential adulteration of a product because of a cybersecurity incident. Maybe it's ransomware that got in and encrypted the hard drive of a medical device. A real question is how do you know that the device still has integrity?”
Fu suggested for the medtech industry to enhance its threat modeling capabilities, which play an important role in premarket reviews. "Networks are inherently hostile, even VPN networks. They were never designed to provide end-to-end security. So, the device still needs to have requirements for a security threat model assuming the network is effectively under control of the adversary," he noted.