Medical devices have become an increasingly important part of the health industry. From streamlining procedures to storing data, they serve a number of purposes. However, at the same time as their growth in popularity, they have also caught the attention of hackers. Considering the impact a breach on these devices could cause for a hospital or other medical facility, protecting them is essential. That means strengthening cybersecurity. Hence, medical devices are another one of our focuses here at Dellfer. So, as we did with cars in our last post, let’s check in on the latest around medical device cybersecurity.
Vulnerabilities in Medical Devices
Recently, cybersecurity firm Trustwave Spiderlab released an advisory stating that it had discovered vulnerabilities within third-party software for used for Canon Medical’s Vitrea View product. According to Medtech Dive, the vulnerability had the potential to expose patient information and credentials for other services and could even allow attackers to modify information. After being contacted by Trustwave, Canon Medical developed a patch for the issue. But this is just one example of the vulnerabilities plaguing medical devices, especially when it comes to third parties.
As the American Hospital Association (AHA) writes, “Third-party cyberattacks pose one of the biggest challenges on the health care cyber-risk landscape.” It points to the stat revealing that 55% of health care organizations surveyed experienced a third-party data breach in the last year. Another example of this is the case of OneTouchPoint, a third-party mailing and printing vendor. That cyberattack reached over 30 providers and 2.6 million patients.
Cybersecurity Solutions for Medical Devices
One hope for addressing this growing problem was supposed to be federal action. About a month ago, the FDA passed an appropriations bill designed to “to reauthorize FDA user-fee agreements, target lower costs, support innovation and improve generic drug competition,” as described at SC Media. It was also meant to include regulatory cybersecurity requirements for medical device developers to follow. However, the bill was passed without that part.
While such requirements were not incorporated this time around, the FDA is still reportedly working on compiling them. In the meantime, though, there are other steps that can and should be taken. John Riggi, AHA’s national adviser for cybersecurity and risk, suggests some. For one, he recommends reviewing your third-party, risk-management program (TPRM) framework. Once that is completed, make sure to implement risk management tools and communicate with internal teams about the policies attached to them. Lastly, he emphasizes the importance of preparing for how your organization will respond and recover in the case that you are hit with a breach.
Dellfer is here to help you secure your network of medical devices as well. We have developed a unique approach in which we take a fingerprint of the software used to run an IoT device, then set up detection mechanisms that trigger defenses if any changes appear. To learn more, visit our medical devices resource page.
Sources:
- “Cyber risks identified in Canon Medical product used to view medical images, security firm says” – Ricky Zipp, Medtech Dive
https://www.medtechdive.com/news/cyber-risks–canon-medical-trustwave-spiderlab/632954/ - “Third-Party, Cyber-Risk Skyrockets for Health Systems” – American Hospital Association
https://www.aha.org/aha-center-health-innovation-market-scan/2022-10-25-third-party-cyber-risk-skyrockets-health-systems - “FDA bill passes without cybersecurity requirements for medical devices” – Jessica Davis, SC Media
https://www.scmagazine.com/analysis/device-security/fda-bill-passes-without-cybersecurity-requirements-for-medical-devices
