November 6, 2017 By Scott Koegler 2 min read

The U.S. Food and Drug Administration (FDA) cautioned the health care industry to be wary about networked medical devices containing off-the-shelf (OTS) software that can connect to networks. Both health care IT professionals and manufacturers are responsible for securing medical devices by performing regular software updates and applying security patches.

Stolen medical records are 10 times more valuable to fraudsters than credit card credentials. Even though medical devices don’t house full patient records, they can be targets if they are connected to networks. Networked medical devices are part of the Internet of Things (IoT) and extend the endpoints by which intruders can gain access to computing systems that contain patient data ranging from medical records to financial information.

Cyberbreaches have devolved from straightforward data thefts to acts of mischief that can cause disruption. Health care organizations should review any medical devices that connect to networks to protect their infrastructure and patients from malicious acts.

What Medical Technologies Are Vulnerable?

Connected medical devices use various types of software to perform their functions. Health care organizations generally assume that these devices meet the relevant specifications because the manufacturers execute FDA software validation processes to assure their products perform as intended. That validation process reviews the device, vendor-created software and any OTS software used to deliver the functionality intended.

OTS software can include operating systems such as Windows or Linux, utility programs such as Adobe Flash or interface components such as text editors. The device itself may work as intended, but because cybercriminals continuously search for vulnerabilities in any networked system they can access, these devices are subject to intrusion and exploitation.

The range of systems that can be affected includes some of the most important devices used for diagnostics and patient care. The FDA lists examples including “systems that obtain, archive and communicate pictures on networks within health care facilities, such as computed tomography (CT), magnetic resonance (MR), ultrasound (US), nuclear medicine (NM) and endoscopy; systems that monitor patient activity, such as electrocardiographic (ECG) systems; and systems that communicate with clinical laboratory analyzers, such as laboratory information systems.” That encompasses computers, routers and switches that connect operating rooms to databases.

Securing Medical Devices Is a Team Effort

IT professionals at health care organizations are accustomed to managing updates and patches for their computing environments, but medical devices are generally under the purview of the practice and maintained by manufacturers. The FDA stated that manufacturers have received guidance by way of updates and restatements of the agency’s rules regarding the use of OTS software.

Device manufacturers are responsible for the safety of their software, according to the FDA’s Quality System regulation. While the manufacturers are not required to retest their systems when they issue patches and updates, they need to keep their systems compliant with their original validation.

Health care facilities should take responsibility for the safety of their patients and their data systems by performing a comprehensive inventory of their connected medical equipment. Once they have identified the equipment and associated manufacturers, they should contact each manufacturer to request system status information, as well as assurance that software updates and patches have been applied.

Cybersecurity is a shared responsibility. Medical facilities deal with a large portion of the world’s population and house troves of sensitive information. The medical devices they use to make diagnoses and deliver treatment must be kept up to date to keep this data safe.

Listen to the podcast: Data Security Insights from a Health Care Insider

More from Healthcare

Cost of a data breach 2023: Healthcare industry impacts

3 min read - Data breaches are becoming more costly across all industries, with healthcare in the lead. The 2023 Cost of a Data Breach Report analyzes data collected from March 2022 to March 2023. Healthcare remains a top target for online criminal groups. These data breach costs are the highest of any industry and have increased for the 13th consecutive year. Healthcare is a highly regulated industry that the U.S. government considers critical infrastructure. As such, recent federal privacy standards, security standards and…

Cyberattackers target the Latin American health care sector

3 min read - Cyberattacks on the healthcare sector are a growing threat in Latin America, and the large amount of confidential data these organizations handle makes these attacks a top concern. The value of healthcare data in the illegal market, such as the personal, medical and financial information of patients and healthcare companies, creates an appealing target for threat actors. This can have serious consequences for the privacy and information security of these organizations. Cyberattacks could lead to reputational risks, interruption of operations,…

Increasingly sophisticated cyberattacks target healthcare

4 min read - It’s rare to see 100% agreement on a survey. But Porter Research found consensus from business leaders across the provider, payer and pharmaceutical/life sciences industries. Every single person agreed that “growing hacker sophistication” is the primary driver behind the increase in ransomware attacks. In response to the findings, the American Hospital Association told Porter Research, “Not only are cyber criminals more organized than they were in the past, but they are often more skilled and sophisticated.” Although not unanimous, the…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today