by Karl Kapp
Major breaches of servers holding secretary of state emails or personal credit card information gain major headlines. This is especially true with the presidential election with a tremendous focus on emails that were made public after they were stolen from an unsecure email server.
However, another critical cybersecurity concern is the potential of bad actors to hack their way into medical devices. The FDA has been working in several channels to combat potential hacking of medical devices. They have recently been working with “hospitals, health care professionals, and patients to provide medical device manufacturers with guidance for monitoring, identifying, and addressing cybersecurity vulnerabilities in their devices before and after they have entered the market.” Additionally, the FDA is working with security companies and security researchers to determine what can be done to keep medical devices safe from hacking.
In fact, the FDA has taken what it calls a “Life Cycle Approach” to dealing with medical device cybersecurity. According to the FDA:
A life cycle approach requires creating, evolving, and maintaining a comprehensive cybersecurity risk management program starting from early product development and extending throughout the product’s lifespan. A key component of such a program is what should be done after a product’s potential risks and vulnerabilities have been identified. A life cycle approach should include manufacturers collaborating with entities that discover threats or vulnerabilities to a medical device’s cybersecurity in order to understand and assess the identified risks. It should also include manufacturers developing appropriate solutions prior to the vulnerabilities being publicly disclosed, which is an added protection for patients.
According to an article titled, “This is the Real Threat Posed by Hacked Medial Devices at VA,” not only could someone do harm to another person by hacking into their pump or pacemaker but they could hack into that system and leverage access to gain information contained in medical health records. The goal would be to gain access to financial data and personal information which can then be sold to the highest bidder.
In today’s connected world, cybersecurity and eliminating vulnerabilities needs to be a concern for any company creating networked medical devices. It’s not just a problem for credit card companies or secretaries of state; it’s a concern for everyone.