Medical device systems have evolved from standalone devices to interconnected systems that communicate across networks and update medical records with sensitive information, exposing manufacturers, providers and patients to new risks and potentially harmful health and safety defects. Network-connected-and-configured devices can be infected by malware that provides access to patient data, monitoring systems and implanted patient devices. In June 2013, the FDA issued an alert to medical-device-makers indicating they are responsible for securing their devices against malware attacks and malicious actors, and also recently announced plans to establish a cyber security laboratory, leveraging the fuzz-testing process of sending intentionally malformed inputs to software, with a goal of locating vulnerabilities in medical devices.
Adopting these three recommendations can help ensure success: Manufacturers must understand how their medical device systems process, move and store sensitive information. They must build security in at the architecture and design stages to avoid the high cost of fixing vulnerabilities after the device is already on the market.
Regulators must bring medical devices under the purview of today’s health care regulations with the same, if not stricter, security requirements as compared to other IT and information assets. They also must demand that security be built in, not bolted on after the fact.
Health care facilities using medical devices must step-up their security monitoring programs to restrict unauthorized access to networked medical devices. This can be done through performing regular assessments, remediating known vulnerabilities, and developing incident management processes in the event of a breach or device failure.
We can expect the interconnectivity of new innovative medical devices to expand, forcing greater vigilance from regulators and health providers. While the lab will help uncover vulnerabilities, the real solution lies in practicing ‘security by design’ in the early stages of product development.