Medical Device Cybersecurity: When Ransomware Escalates to “Hostageware”
A Worst-Case Scenario
Time is ticking – and so is the heart of a senior U.S. Diplomat whose life is being threatened for a hefty ransom. The diplomat isn’t in the custody of the criminals making the demands, rather she has been virtually taken hostage by cyber criminals who have hacked her pacemaker. Her Diplomatic Security detail is now feverishly working with the FBI to determine how to best to handle this new threat to her life.
This outlandish scenario sounds like something out of an episode of The Blacklist, but cybersecurity professionals and medical device manufacturers are becoming increasingly concerned about medical device security. Just this August at the Black Hat and DEF CON security conferences in Las Vegas, researchers once again exposed the insecurity of medical devices by demonstrating how pacemakers and insulin pumps can be hacked to harm, and in dire instances, kill their host. With medical devices becoming increasingly connected to the Internet, hospital networks, and other technology to improve healthcare, the risk that these devices can be vulnerable to security breaches is also increasing. As such, medical device manufacturers can expect a more stringent regulatory environment when it comes to securing their respective products.
New Threats New Resources
In a recent push for enhanced cybersecurity for medical devices, the U.S. Food and Drug Administration (FDA) issued a series of non-binding recommendations to help ensure that device manufacturers are adequately addressing evolving cybersecurity threats. The FDA’s Content of Premarket Submissions for Management of Cybersecurity in Medical Devices draft guidance includes aspects of cybersecurity conventions to include: general principles and risk assessment, how to design a trustworthy device using the NIST Cybersecurity Framework, labeling recommendations for devices with cybersecurity risks, cybersecurity documentation procedures, and how to implement existing cybersecurity standards for devices. Despite this initiative, the FDA is not the only federal agency responsible for the cybersecurity of medical devices. The FDA works alongside numerous federal government agencies including the U.S. Department of Homeland Security (DHS), private sector industries, medical device manufacturers, health care delivery organizations, security researchers, and even end users to increase the security of the U.S. critical cyber infrastructure.
Cybersecurity for medical devices isn’t optional – manufacturers have to adhere to federal regulations. A large component of those regulations includes the quality system regulations or QSRs. The QSRs require that medical device manufacturers address all risk with a particular emphasis placed on cyber risk. Additionally, the draft guidance incorporates a “cybersecurity bill of materials,” which lists commercial and off-the-shelf software and hardware elements of a device that could be susceptible to vulnerabilities. On that note, the FDA and DHS have entered into a memorandum of agreement to increase their collaboration on medical device security. While the two agencies have worked together on vulnerability disclosures, the memorandum will improve coordination between the agencies.
Healthcare providers rely on various technologies and medical devices to care for patients and implicitly trust that technology will do just that. However, many concerns are on the horizon regarding the safety of these devices. Cybersecurity in healthcare is moving beyond mere compliance and regulatory issues toward patient safety concerns. Healthcare providers and medical device manufacturers should develop efforts to ensure they have up to date information on the newest vulnerabilities, threats, risks, and best practices to secure their devices and, most importantly, keep patients safe.
For executives in medical device manufacturing and patient-focused healthcare, these trends are adding a whole new level of responsibility when it comes to managing risk. As such, it’s important to stay apprised of the many cyber risks your organization can face. Take a look at CyberVista’s Resolve executive training programs to keep your executives, boards, and C-suite apprised of how they can best address your organization’s cyber risk.