Threat Assessment: Connected Medical Devices

The terminology that describes medical devices and connected medical devices can be confusing. Let’s start by looking at how these devices are defined.

Medical Device: a contrivance designed and manufactured for use in healthcare, and not solely medicinal or nutritional.

Internet of Medical Things (IoMT): devices linked to cloud platforms that store and analyze data.

Internet of Healthcare Things (IoHT): the convergence and integration of sensor data collected by medical devices and mobile technologies, as applied to healthcare.

The cybersecurity threat from connected medical devices is significant. A thought leadership healthcare paper published by IBM reported that 82 percent of healthcare organizations have experienced a medical device cyber attack.1 Therefore, it is critical for healthcare organizations of all sizes to build security practices to protect devices, data, and patients.

The FBI and the FDA Take Action

The threat posed to healthcare data by connected medical devices has government big hitters concerned. The FBI and the FDA agree that action is needed to protect patients and providers from medical device hackers.

In September 2022, the FBI reported that 53% of digital medical devices and other internet-connected products in hospitals had known critical vulnerabilities. The report listed a number of medical devices that are susceptible to cyber-attacks. The types of devices that are at risk might surprise you: they include insulin pumps, intracardiac defibrillators, mobile cardiac telemetry, and pacemakers.

As of March 2023, the Food and Drug Administration requires medical devices to meet specific cybersecurity guidelines. These guidelines are the result of concerns that the growing number of internet-connected products used by hospitals and healthcare providers could be hit by hacks and ransomware attacks.

Under FDA guidance issued in March, all new medical device applicants must submit a plan on how to “monitor, identify, and address” cybersecurity issues. Going forward, medical device providers will also need to make security updates and patches available on a regular schedule and in critical situations, and provide the FDA with “a software bill of materials,” including any open-source or other software their devices use.

But what about all the medical devices that are out there today?

How Big is the Risk?

There are more than 15 million medical devices in US hospitals with an average of 10 to 15 connected devices per patient bed. The global number of connected medical devices is on track to exceed 50 billion in the next decade. The growth of virtual medicine and the popularity of consumer wearables that collect and send data to clinicians are two factors contributing to this growth.

This number of connected medical devices is expected to continue to grow. Expert Market Research forecasts the global IoT healthcare market to reach USD $892.9 billion by 2032.

Threats to these devices come from multiple directions:  loss, theft, and hackers.

Medical Device Hacking

We immediately understand what it means for a person to lose their device or have it stolen.  What happens when a medical device is hacked is less clear.  When a malicious actor hacks a medical device, they modify it to do the following:

  • Perform a task it wasn’t designed for
  • Change a prescription dose or frequency of doses
  • Maliciously attack a device so that it no longer works correctly
  • Obtain or compromise patient data

The consequences of medical device hacking can be severe and lead to patient harm, injury, or death. Medical devices are designed to operate within very specific parameters. If they are not adjusted after a modification has been made to the hardware or software of a device, there can be negative patient outcomes.

Protecting Medical Devices and Patients

By combining physical and cyber security efforts, new insights become available to proactively detect and mitigate risks. Guarding against unauthorized physical and digital access creates a multi-pronged defense against data breaches.

Not only must assets like files and information be secured, but medical devices must also be safe from unauthorized access. Securing devices and information physically should include policies limiting physical access, securing machines in locked rooms, managing physical keys, and restricting the ability to remove devices from a secure area.

Amid escalating data breaches, the fusion of AI-powered video surveillance, access control, and behavioral analysis fortifies physical security while amplifying cybersecurity.

Brivo Cloud-based Access Control

Brivo provides modern access control for healthcare providers, keeping essential workers and facilities safe as they care for others. The complexity of protecting sensitive patient data, expensive medical equipment, prescription drug regulations, privacy, and employee safety necessitates robust access control throughout the healthcare industry. Download this free eBook to learn more about Brivo’s modern cloud-based access control solutions for healthcare and wellness.

Protecting lives, assets and facilities. It’s what we do. Contact us here to speak with a security expert about your security needs or request a demo of the Brivo platform.