Securing Medical Devices in the Age of the IoT

The U.S. Food and Drug Administration (FDA) cautioned the health care industry to be wary about networked medical devices containing off-the-shelf (OTS) software that can connect to networks. Both health care IT professionals and manufacturers are responsible for securing medical devices by performing regular software updates and applying security patches.

Stolen medical records are 10 times more valuable to fraudsters than credit card credentials. Even though medical devices don’t house full patient records, they can be targets if they are connected to networks. Networked medical devices are part of the Internet of Things (IoT) and extend the endpoints by which intruders can gain access to computing systems that contain patient data ranging from medical records to financial information.

Cyberbreaches have devolved from straightforward data thefts to acts of mischief that can cause disruption. Health care organizations should review any medical devices that connect to networks to protect their infrastructure and patients from malicious acts.

What Medical Technologies Are Vulnerable?

Connected medical devices use various types of software to perform their functions. Health care organizations generally assume that these devices meet the relevant specifications because the manufacturers execute FDA software validation processes to assure their products perform as intended. That validation process reviews the device, vendor-created software and any OTS software used to deliver the functionality intended.

OTS software can include operating systems such as Windows or Linux, utility programs such as Adobe Flash or interface components such as text editors. The device itself may work as intended, but because cybercriminals continuously search for vulnerabilities in any networked system they can access, these devices are subject to intrusion and exploitation.

The range of systems that can be affected includes some of the most important devices used for diagnostics and patient care. The FDA lists examples including “systems that obtain, archive and communicate pictures on networks within health care facilities, such as computed tomography (CT), magnetic resonance (MR), ultrasound (US), nuclear medicine (NM) and endoscopy; systems that monitor patient activity, such as electrocardiographic (ECG) systems; and systems that communicate with clinical laboratory analyzers, such as laboratory information systems.” That encompasses computers, routers and switches that connect operating rooms to databases.

Securing Medical Devices Is a Team Effort

IT professionals at health care organizations are accustomed to managing updates and patches for their computing environments, but medical devices are generally under the purview of the practice and maintained by manufacturers. The FDA stated that manufacturers have received guidance by way of updates and restatements of the agency’s rules regarding the use of OTS software.

Device manufacturers are responsible for the safety of their software, according to the FDA’s Quality System regulation. While the manufacturers are not required to retest their systems when they issue patches and updates, they need to keep their systems compliant with their original validation.

Health care facilities should take responsibility for the safety of their patients and their data systems by performing a comprehensive inventory of their connected medical equipment. Once they have identified the equipment and associated manufacturers, they should contact each manufacturer to request system status information, as well as assurance that software updates and patches have been applied.

Cybersecurity is a shared responsibility. Medical facilities deal with a large portion of the world’s population and house troves of sensitive information. The medical devices they use to make diagnoses and deliver treatment must be kept up to date to keep this data safe.

Listen to the podcast: Data Security Insights from a Health Care Insider

Share this Article:
Scott Koegler

Freelance Writer and Former CIO

Scott Koegler practiced IT as a CIO for 15 years. He also has more than 20 years experience as a technology journalist covering topics ranging from software and services through business strategy. Scott publishes ec-bp.com, a supply chain industry newsletter and has written for publications including Network Computing, Forbes, Internet Evolution, and many others.