Recent and high-profile cyber, ransomware and supply chain attacks on Kaiser Permanente, Ascension, and Change Healthcare have shown how the healthcare industry remains the number one target, and that no organization is immune. Last year, there were 249 healthcare related ransomware attacks reported to the FBI Crime Center alone, not counting those that slipped under the radar, and far more than any other critical infrastructure sector.
In the wake of these ongoing attacks, most healthcare providers and hospital systems have focused their security efforts on protecting electronic health records (EHRs), patient portals, and payment infrastructures. Yet, a critical threat is hiding mostly out of sight—the cybersecurity risk of implanted medical devices.
Implanted Cybersecurity Risks
Medical devices from pacemakers to insulin pumps, cochlear implants, glucose meters, nerve stimulators and more have revolutionized healthcare, improving quality of life and outcomes for millions of people. However, these devices’ reliance on wireless connections and software makes them potential targets for cyberattacks. If they are compromised, it could lead to the exposure of sensitive patient data or worse, direct harm to patients such as drug overdoses or delivering electric shocks at the wrong time.
These medical devices can connect to hospital and healthcare networks, potentially serving as entry points for direct access or lateral movement to access databases and web servers potentially exposing valuable patient, healthcare, and/or financial data.
We have seen several recurring vulnerabilities in implanted medical devices. These include unchanged default passwords, unpatched firmware, and web-facing misconfigurations. Collectively, these issues create entry points for malicious actors to gain access to patient health information, take control of devices, or manipulate them, putting patient safety at significant risk.
Weak Links in Device Security Create Real Concerns
One of the most pressing security concerns is that default passwords are often set by medical device manufacturers and rarely changed once a device is implanted in a patient. This creates a simple entry point for attackers, who can easily obtain these default passwords from publicly available sources. At the same time, misconfigured internet-connected devices can also create easy access points for cybercriminals to exploit.
Outdated firmware is another critical issue. Once a device is implanted, it is not always feasible to update its software when a new vulnerability is discovered. Even when manufacturers can develop patches, they may face delays due to FDA regulations that require rigorous testing and approval before updates can be distributed. While these regulations are vital for ensuring the safety and efficacy of medical devices, they also create a time lag that leaves patients vulnerable to cyberattacks.
The real-world consequences of such vulnerabilities are far from hypothetical. In recent years, Medtronic issued two recalls for insulin pumps for cybersecurity vulnerabilities that could allow hackers to alter insulin delivery settings. Although no attacks were reported, these recalls highlighted how real the threat is. As connected healthcare devices continue to proliferate and the attack surface grows, it becomes ever more critical to proactively address these risks.
The Need for FDA Patch Approval Reform
The regulatory framework around medical devices creates another major challenge in addressing these vulnerabilities. While the FDA plays a crucial role in ensuring the safety of medical devices, its approval process can create a bottleneck for cybersecurity improvements and patch deployment. When manufacturers discover security vulnerabilities in devices that have already been approved, they must still go through the FDA’s lengthy approval process for patch updates, even when the vulnerability poses an immediate security risk.
To mitigate this issue, it is essential that the FDA adopts a more agile regulatory framework that balances patient safety with the need for timely cybersecurity updates. One solution could involve pre-certifying security updates so that they can be implemented without going through the full approval process each time.
Recommendations for Improving Medical Device Security
To enhance the security of implanted medical devices, healthcare organizations and the FDA should take the following steps:
- Mandatory Security by Design: Device manufacturers should be required to implement cybersecurity features during the design phase, including using encrypted communications, multi-factor authentication, and built-in update mechanisms that allow for timely patching. Currently, this is only suggested in the FDA guidance.
- Change Default Settings: Hospitals and clinics must enforce policies that require passwords and configuration settings to be changed as soon as devices are deployed. This step alone could eliminate a significant number of vulnerabilities.
- Strengthening FDA Oversight: The FDA should develop a more streamlined process for security patches, allowing for expediting the review of updates that address critical vulnerabilities.
- Ongoing Training and Awareness: Healthcare providers also need to invest in cybersecurity training programs to ensure that staff are aware of the risks associated with medical devices. This includes developing protocols for responding to cyber incidents involving medical devices.
- Collaboration Between Government and Industry: Finally, government agencies and the private sector should collaborate more closely to share threat intelligence and best practices for securing medical devices. By having the latest information on medical device threats and potential attack techniques, healthcare organizations can improve their security.
A Call to Action for Healthcare Leaders
Connected medical devices and their cybersecurity risks will only continue to grow. To protect patient safety and data, it is imperative that healthcare providers, manufacturers, and regulators work together to address these vulnerabilities now. While protecting EHRs, patient data and payment systems is crucial, the hidden risks of connected medical devices need to be uncovered and taken seriously. The stakes are simply too high.
About Andrew Speir
Andrew Spier is the Vice President of Advanced Cyber Solutions and Commercial Services at Core4ce, a data-minded company serving national and enterprise security communities, with over a decade of experience in cybersecurity and healthcare IT industries. Currently, he leads corporate campaigns and oversees the Defense Health division, including a $350 million portfolio, $100 million in annual revenue, and 250 employees.
Before Core4ce, Speir managed CACI International’s NIWC and DHA healthcare IT portfolio, including the $90 million Medical Information Delivery System Engineering Support (MIDSES)contract. At Honeywell Technology Solutions, he worked with both DHA and NIWC civilians to co-author the Risk Management Framework Process Guide, which the Defense Health Agency now uses to meet National Institute of Standards and Technology (NIST) and DoD cybersecurity standards for Authority to Operate.