The vulnerability of internet-connected medical devices is no secret. So far, though, there have been no major healthcare cybersecurity breaches linked to a device hack. The Food and Drug Administration (FDA) and the Department of Homeland Security (DHS) are refocusing their combined resources in hopes of keeping it that way.
Under an agreement announced in October, the FDA’s Center for Devices and Radiological Health and Homeland Office of Cybersecurity and Communications are directed to coordinate efforts and share information about medical device cybersecurity vulnerabilities and threats with medical device manufacturers and researchers.
The agencies already work together on medical cybersecurity issues, coordinating vulnerability disclosures in which independent researchers look for flaws in device manufacturer’s products. FDA and DHS also have collaborated on exercises simulating cybersecurity attacks. The simulations allow the government and other stakeholders to practice their responses to these threats.
The new arrangement formalizes the relationship of the two agencies with the aim of making it easier to share information about potential or known threats.
Announcing the agreement, FDA Commissioner Scott Gottlieb said in a press release: “As innovation in medical devices advances and more devices are connected to hospital networks or to other devices, ensuring that devices are adequately protected against cyber intrusions is paramount to protecting patients.”
Finding Flaws Helps Vendors Improve Security
The FDA took a step toward increased security in December 2016 when it released guidelines for medical device cybersecurity. The guidelines set out how manufacturers are to keep connected devices such as pacemakers and insulin pumps secure. In the time since then, manufacturers have reported 400% more flaws each quarter, showing that vendors are making efforts to improve device security.
The sort of cyberattack this union of the two agencies is designed to combat has potentially lethal consequences.
Two researchers from the University of California system staged a simulation of what could happen to a patient whose medical device was hacked. An actor portrayed a patient showing signs of chest pain to nurses and doctors. The team of medical professionals began standard procedures to take care of a potential heart patient. However, the patient’s pacemaker was malfunctioning due to a hack, shocking the patient at the wrong time, so the patient kept dying and coming back to life.
No Training to Deal With Hacks
Disturbingly, none of the clinicians taking part in the simulation were able to ascertain that the pacemaker had been hacked. None had been trained to deal with a hacked medical device and none knew what to do in the situation.
One of the researchers, Christian Dameff, said that the fact that such an attack has not been recorded yet is not a reason to ignore the issue. Arguing that, although a device hack is unlikely, it still needs to be addressed. “The first time something like this actually happens will change the conversation entirely,” Dameff told Healthcare IT News.
The focus must be on the devices but also the healthcare organization’s infrastructure, according to Dameff. “The risk is involved in every aspect of care,” Dameff said. “It’s important to be aware of the entire picture.”
Jeffrey Tully, Dameff’s fellow researcher, emphasized that healthcare cybersecurity is “not only a protecting patient health information issue. Healthcare security is a patient safety issue.”