Medical Device Security: Patient Safety Takes Precedence Over Privacy
People typically mention data security and HIPAA penetration testing when talking about medical device security. Although there is much to be said about safeguarding patient privacy, patient safety comes first.
Because to the growing influence of what is now known as the Internet of Medical Things, patients are now more online than ever before. Allied Market Research predicts that by 2021, the IoMT would be worth $136.8 billion.
With connected devices, doctors can access real-time diagnostic and therapeutic information and modify treatments from any location. They are a great choice for a system trying to care for a rising population with few resources, but they are also quite open to attack.
The Problem with the Answer
An industry must exercise caution when experiencing rapid expansion to avoid moving too quickly. This can mean the difference between life and death in the context of healthcare cybersecurity.
Those who need insulin pumps or pacemakers depend on these connected devices. A hacker could change the instructions and possibly harm the patient if the software that instructs these devices has bugs.
Drs. were present at the 2018 Healthcare Security Forum. To show the possible effects of medical device hacking, Tully and Dameff played a video of a fake breach. The case was a fictitious patient whose pacemaker had been hacked, repeatedly shocking him and putting him into cardiac arrest before bringing him back.
The pacemaker was disconnected by emergency surgery because the medical personnel had never encountered a situation like this before and couldn’t reach a cardiologist by phone. The simulation revealed a lot to the cast and viewers of the movies because they all witnessed the suffering and perhaps fatal outcome of a patient who had fallen victim to hackers.
Drs. Tully and Dameff expressed concern that, even knowing that it might occur, decision-makers might put it off until it happens. Yet, according to Healthcare IT News, the first quarter of 2018 saw an all-time high in medical device recalls. What is the most typical explanation?
More than a year later, critical medical equipment still has security weaknesses.
In June 2019, the FDA issued a warning regarding a bug in Medtronic MiniMed insulin pumps that could allow a skilled attacker to modify the pump’s settings using unauthorized radio signals. Those who are affected may experience fatally low or high blood sugar levels.
The FDA advised patients to use safer alternatives after recalling the pumps.
Meanwhile, 11 separate penetration testing service of cybersecurity holes in operating systems that run IPnet, a program used in a range of medical devices, have been found by researchers. Because IPnet enables communication between connected computers, a hacker might target multiple patients with a single piece of software.
No specific incidents of patient harm brought on by a hacked system or network connection have been reported. On the other hand, the FDA’s Center for Devices and Radiological Health emphasizes that the risk is too great to wait for an incident to happen.
Furthermore, attacks may take place without the user’s consent or even awareness, according to FDA deputy director Suzanne Schwartz. We run the risk of overlooking innumerable smaller but no less catastrophic instances if we wait around for a high-profile tragedy.
The Purpose of Older Systems
Hospital or healthcare system networks, which are typically insecure in terms of cybersecurity, are connected to patient devices. Frequently, they lack the funding necessary to modernize those systems.
At the presentation that was previously noted, Drs. A patient who was experiencing a stroke was the subject of a case study by Tully and Dameff. They noted that the patient is dependent on a pacemaker that is prone to failure and a healthcare system that uses a very vulnerable network. Medical professionals won’t be able to exchange the information necessary to deliver life-saving care if such a network is disrupted.
The argument is not only theoretical. 70 percent of the 1,503 assessed breaches in 2018 had as their target care delivery organizations, according to a paper that was published in the Journal of the American Medical Association.
Technological Trust Issues
Most doctors have confidence in medical technology and hardly ever consider potential cybersecurity risks.
Doctors’ naïve reliance in the medical equipment that keeps their patients safe is one of the most dangerous trends in medical technology, and the absence of recorded fatalities from compromised devices fuels it.
Medical technology is taught to have confidence by doctors. They frequently need to maintain that trust in order to concentrate on the patient. Skepticism is healthy when it comes to defending that patient from attack.
Researchers who are doctors Jeff Tully and Christian Dameff once showed a group of medical professionals equipment that had been compromised. The doctors gave the misleading impression that all technology was secure when they asked their responders to mention any hacked devices.
Patients are mainly at risk when medical staff has such unquestioning reliance in connected devices.
Current Laws: Safety vs. Privacy
Billy Rios and Jonathan Butts, security specialists, created a simulation in 2018 that illustrated what may occur if hackers obtained access to a pacemaker or insulin pump. They demonstrated that a hacker might remotely reprogram either device, endangering or killing the patient.
Following this presentation, the FDA started issuing further rules and suggestions about patient safety.
Similar to this, the FDA’s 2014 premarket submissions guidelines put a strong emphasis on data security and safety. The same paper was provided in a revised form in 2018, with language specifically addressing security issues that “may result in patient sickness, harm, or death.”
The document also divides hazards into tiers, with the devices in the highest risk category having the potential to “directly result in patient harm to numerous patients” in the event of a security breach.
Nonetheless, patient safety has been the main focus of the FDA’s safety statements since 2018. Although HIPAA and other privacy regulations still apply, what good is privacy if the patient cannot afford it?
The Most Important Lesson for IT Professionals
Medical device safety is still a relatively new field. Clinicians and regulators are starting to understand the more serious repercussions of a patient attack after focusing for years on data security and patient privacy.