Medical device security: An ever-evolving and ever-challenging concern

Read a transcript of this week’s episode.

Medical devices have the potential to play a transformational role in the delivery of cost-effective health care, but they can also expose patients to safety and cybersecurity risks. Like any computer system, medical devices are vulnerable to security breaches. The susceptibility of such devices increases drastically when connected to the internet, hospital networks, or other medical devices.

On this episode of CyberChat, host Sean Kelley, former chief information security officer at the Environmental Protection agency and deputy chief information officer at the Veterans Affairs Department, addressed medical device cybersecurity with:

  • Dr. Paul Cordts, director and functional champion of the Military Health System at the Defense Health Agency.
  • Scott Blackburn, CIO in the Office of Information Technology at Veteran Affairs.
  • Dr. Suzanne Schwartz, associate director for Science and Strategic Partnerships in the Center for Devices and Radiological Health at the Food and Drug Administration.

While all medical devices carry a degree of risk, the panelists agreed cybersecurity leaders must ensure delivery of health care is not compromised. According to the Government Accountability Office, information security related to medical devices is a fairly new and evolving field for health care providers. Reuters reports hackers are targeting the $3 trillion U.S. health care sector because “medical records are valued at 20 to 50 times more than financial identities on the black market.” And according to the Identity Theft Resource Center, in 2016, the number of health-care organizations falling victim to data breaches reached an all-time high of nearly 400 reported breaches.

Today’s medical devices are expensive to replace and agencies have shrinking budgets. Despite this, global medical device security market revenue is expected to reach $28.9 billion by 2023, according to a recent report.

In reality, medical devices may take up to 18 months to design. FDA approval can then take six to 18 months or longer depending on the class of the device. By the time a medical device is ready for purchase, it’s at least two years into its operating life. Assuming devices have a nine-year life expectancy and are replaced on schedule, this timeline allows for medical devices to be in use several years after their expiration date — making the average life of a medical device more than 12 years. Imaging devices — some of which known to be in use for 10, 15 and even 20 years — once connected to the internet, are faced with threats non-existent when they were developed.

But cost and lifecycle are not the only challenges. Legacy is another obstacle. Adoption of new technologies is trending toward lightning speed driven by ever-changing demand, making transporting old software functionalities to a compliant and updated landscape difficult. Many agencies rely on decade-old technologies to support essential functions and day-to-day operations. Government agencies still have hundreds of thousands of older devices on the network, increasing the struggle to provide a secure environment as access becomes more open and legacy systems lack adaptability to changing needs. Regardless, modernizing outdated legacy systems is critical to improve delivery of service, enhance government operations and strengthen cybersecurity.

Another aspect of medical device cybersecurity is data and patient privacy. According to FDA’s Schwartz, medical devices in health care can increase real-time and remote monitoring, more accurate data direct to EMR, and new closed-loop treatment modalities.

VA and the DHA both use the Risk Management Framework for risk-identification and risk-reducing methods, but is it enough? Like all cybersecurity issues and concerns, medical device security will take a holistic approach where cyber, IT and business professionals sit down to solve.