June 21, 2019
5 minutes

Medical Device Security—What You Need to Know

Cybersecurity Threats Continue to Find Vulnerabilities in Healthcare

21 June 2019

Over the past several years, we have witnessed an accelerated evolution of medical devices that has been heralded by advancements in materials science, sophisticated analytic modeling, and a global web of device communications flourishing across the Internet. And as the technology of medical devices continues to develop on the cutting-edge of progress, it’s more likely that we will also see these devices further innovated into servicing more areas of healthcare. As an example of this, smartphones and similar mobile devices are increasingly being used as a “patient-to-device” interface between the local processing power of the phone to transmitting data back to hospitals and healthcare practitioners. This effort has provided swiftness in offering doctors the information they need to diagnose and deliver remedies quickly and efficiently while reducing and eliminating health concerns for patients. But with the frontier of technology ever expanding within the realm of health and life sciences, we must remain vigilant of the growing and tangible threat to sabotage medical devices at the expense of patient lives.

The security dangers to medical devices in healthcare organizations is no secret. With the augmentation of networking these apparatuses into a larger web of health-related services to patients,their risk exposure points have been amplified too. In a recent study conducted by the College of Healthcare Information Management Executives (CHIME), it has been reported that 18 percent of healthcare organizations were impacted by malware or ransomware going back to December 2017 (Wagenen, 2018). Although the investigation noted that only a few instances did result in an outcome of compromised health information, the threats did present themselves as having an acute risk for disrupting the continuity of patient care—thus impacting lives. In a statement offered by Russell Branzell, CEO of CHIME, he stated, “Unsecured and poorly secured medical devices put patients at risk of great harm if those devices are hacked,” (Wagenen, 2018). While hospitals and healthcare organizations continue to interconnect devices to facilitate the fluidity and speed of patient care and information, so has the cybersecurity risk enlarged at an exponential rate in recent years. 

What’s more interesting is that reports such as the one spearheaded by CHIME have also triggered the “blame game” of where responsibility of securing devices needs to live. Most healthcare organizations and providers point to the manufacturer of the medical devices—but almost three-quarters of those polled stated that their resources were deficient and too burdened to holistically secure these devices.Adam Gale, president of KLAS Research—the firm that assisted CHIME in this study—stated that, “Safeguarding medical devices requires a joint effort from both provider organizations and device manufacturers,” (Wagenen, 2018). Although we are beginning to see some medical device producers becoming more proactive and accountable, it remains evident that they cannot exist alone in the fight against cybersecurity attacks. With government involvement increasing its presence, FDA has delivered language and enacted policies for affecting necessary change within the discipline of cybersecurity of medical devices.

On the U.S. Food & Drug Administration website, within the section focused on cybersecurity, FDA offers comprehensive information surrounding their position and policies regarding medical device security. If reasonable assurances for security are in place and benefits significantly outweigh risks, FDA is copacetic with medical devices being marketed to healthcare providers. But there remains the concern regarding the increase exposure to security threats as the business model continues to network these devices across the Internet,hospital networks, and the interconnection between apparatuses for treating patients. With this continued drive from both the commercial supply and demand from healthcare, vigilance is no longer enough when it comes to addressing the vulnerability of medical devices. 

FDA prescribes several best practices that medical device manufacturers (MDMs) and healthcare delivery organizations (HDOs) need to adopt to ensure proper defenses are in place to preclude attacks and mitigate risks. MDMs must be responsible for maintaining acuity in the identification of cybersecurity-related risks and threats; HDOs must assess their network security infrastructures and safeguard all hospital systems; both MDMs and HDOs are obligated to implement measures to reduce and preclude patient safety dangers while guaranteeing optimal medical device performance (FDA, 2018). FDA offers a downloadable fact sheet document that further details these principles regarding the role of the U.S.Food & Drug Administration and how it pertains to medical device security.To further edify the health and life sciences community of providers,manufacturers, and consumers (patients), FDA offers on their website clear illustrations to dismiss allegory which have been overwhelmingly embraced as credo. To add additional value to their oversight, FDA recently released a manuscript to provide effective guidance for healthcare organizations to secure their medical devices. 

On October 1, 2018, the U.S. Food & Drug Association in collaboration with MITRE Corporation unveiled a medical device security playbook intended to enable healthcare organizations to proactively plan for and respond to cybersecurity occurrences that involve medical devices (Donovan, 2018). This “playbook” allows for both effective operational cadence for an HDO as well as protections ensuring patient privacy. As a result of this effort, healthcare organizations have the direction needed to design and build a holistic cybersecurity preparedness and response framework. Including areas of managing asset inventory, creating a baseline of device cybersecurity information, and overseeing training exercises,the manual has given healthcare organizations the capacity to be both operationally exhaustive in approaching medical device cybersecurity. Additionally, the Office of Inspector General (OIG), a division of the U.S. Department of Health and Human Services, has officially advocated their support of FDA process changes to improve medical device security.  

In addition to authoring the medical device security playbook, FDA has also signed two memoranda of understanding which has established the framework of creating information sharing analysis organizations—also known as ISAOs. These groups, of which Sensato is a participating member, are subject matter experts who gather, analyze, and distribute information on cyber threat intelligence.FDA is also working in collaboration with the U.S. Department of Homeland Security to further enhance medical device security including, but not limited to, joint cybersecurity and tabletop exercises to simulate a myriad of situations involving acute threats to medical device security in healthcare organizations.FDA Commissioner, Mike Gottlieb, remains committed to spearheading the effort to thwart these looming dangers spawned by cybercriminals and similar Internet rogues who never rest in unlocking cybersecurity vulnerabilities that put patient lives in danger (Donovan, 2018). 

And still, with collaborative efforts, vigilance, awareness, and continuous education, medical device vulnerabilities continue to be besieged by malefactors across the world—some more sophisticated than others. Over the years, mounting evidence has demonstrated that medical devices inherently pose greater security risk potential with their widening interconnection across organization infrastructures. Every day we witness the influx of inescapable cyber threats that continues to burrow their way into unsuspecting machines designed to save patient lives. But while there remains an alarming increase in the number of issues impacting medical device security, there are also steps that healthcare organizations can adopt to harden their defenses which ultimately ensure the safety of patients’ lives.  

Building both a cybersecurity strategy along with preventative and responsive tactical planning is rudimentary in strengthening fortifications for all organizations sparring on the vanguard of cyber incursions. And as we continue to layer our security defenses with more formidable architecture and next-generation technology to counter these cyber attacks, we cannot rest assured that it’s ever enough. If your plan is reactionary alone, rather than a conflated approach that prioritizes proactive initiatives for facilitating cybersecurity across your organization, then while you’re at rest it will be at such time that your walls are breached. And while cyber attacks continue to spawn across our global expanse, they remain fueled by unflagging rogues who never take rest from their felonious efforts—and neither can you.

Works Cited

FDA. “Cybersecurity.” FDA, U.S. Food and Drug Administration, 17 Oct. 2018,

Donovan, Fred. “FDA Unveils MITRE's Medical Device Security Playbook.” HealthITSecurity, Intelligent Healthcare Media, LLC., 3 Oct. 2018,

Wagenen, Juliet Van. “Medical Device Vulnerabilities Continue to Plague the Industry.” HealthTechMagazine.net, CDW LLC., 11 Dec. 2018,

Cybersecurity Awareness Month Recap - Resources and Tips
October was National Cybersecurity Awareness Month which is meant to put a spotlight and focus on cybersecurity education and taking action to protect yourself and your organization from a cyberattack. Here’s a roundup of some of the top things we shared in October.
Four New Phishing Tactics to Watch Out For
By now most healthcare organizations perform cybersecurity awareness training and their staff are on the lookout for phishing emails. Cyber attackers are getting more savvy, however and are coming up with new phishing techniques that are harder to spot. Below are some examples of these new tactics and how to spot them.
Real-time Review of Oklahoma State University Cybersecurity Breach
Healthcare organizations that are victims of a cyberattack are reported daily. Reviewing OCR findings to identify actions you can take to protect your organization from similar attacks is a good best practice. Here is a review of the OSU breach to use as an example.
No items found.