There is no doubt that networked and IoT-enabled medical devices save time, reduce costs and improve the quality of healthcare. The explosive growth of these devices has resulted in 10 – 15 devices per bed that can be connected with multiple data sources and automatically trigger life-saving actions. From IoT-enabled ventilators, infusion pumps, and glucose monitors to networked ultrasound and MRI machines, these devices deliver faster patient care by automatically triggering alerts and medications, as well as streamlining operations by automating machine maintenance and diagnostics. But the dark side of the tremendous gains that this technology offers, is that these devices dramatically increase the network attack surface, as most have weak or non-existent security. Medical device security and IoT medical device security are critical concerns because these networked devices can create security gaps that put the entire network at risk.

The murky cybersecurity threat landscape of medical devices, HIPAA and the FDA

Medical device security is a complex challenge that lies in the murky overlap of FDA and HIPAA regulations. Both medical device manufacturers and health care delivery organizations are struggling to reconcile HIPAA protections, such as protecting PHI through secure networks, devices and processes, with FDA medical device security rules, which offer weak guidelines for device security.

The FDA recognizes that all medical devices carry risks and asserts that it is the responsibility of both the medical device manufacturers and healthcare delivery organizations to design strategies and procedures to mitigate these risks.  Sadly, without clear guidance from the FDA on the specific roles of medical device manufacturer and healthcare delivery organizations, this gray area has resulted in both parties waiting for their counterpart to close the security gaps.

It’s no secret that the FDA is struggling to keep up with the rapid evolution of technology to implement effective and safe risk management protocols. Frankly, so are medical device manufacturers. A survey found that only about half of medical device manufacturers follow FDA guidance to reduce risks. Even more concerning is the fact that most medical device manufacturers have historically failed to acknowledge that if their devices create, transmit or receive PHI, then they have a responsibility as a “Business Associate” to be HIPAA compliant.  As we wait for regulatory guidelines to evolve, medical device manufacturers need to close medical device security gaps, and healthcare delivery organizations need to implement compensating controls to ensure HIPAA compliance. Hopefully, as California begins to implement the nation’s first IoT security legislation, and the FDA works to modernize their medical device security guidance, we will see a dramatic reduction in the risks associated with these devices and better harmonization between the FDA and HIPAA requirements.

What are some medical device security risks?

We all know there are no perfectly secure devices. However, medical device and IoT medical device security gaps are particularly risky, because:

  • Legacy systems – Many medical devices run on legacy systems that are no longer patched, such as Windows XP and Windows 2000. Unpatched existing and new vulnerabilities are easily exploited. Since these devices can contain patient information and test results data, this can result in HIPAA violations. Alternatively, malware can be uploaded through these devices to infect the entire network.
  • Security issues – IoT devices have a history of poor onboard security. At the same time, these devices are flooding the network and creating security gaps. Analysts predict that the explosive growth of the healthcare IoT market will continue to grow at a CAGR of almost 30%, to become a $322 billion industry by 2025.
  • Healthcare data – Any networked medical device can open a security gap that causes an expensive HIPAA violation. Almost 40% of medical devices are attached or can be attached to the network.

Reducing the risk of a medical device breach

Like any security challenge, there are ways to reduce the risks of medical device breaches. There is a wide range of technologies and best practices that can reduce these risks, here are a few strategies:

  • Ensure appropriate network segmentation that limits access to sensitive information and isolates less secure devices.
  • Quickly apply all security patches and updates to eliminate vulnerabilities.
  • Implement technology that enables you to automatically identify and locate every device connected to your network.
  • Monitor devices and network traffic in real-time, so you can quickly detect and stop bad behavior.

The bottom line for medical device security

Healthcare records are appealing targets. Full patient medical records are a valuable commodity on the dark web and sell for up to $1,000 each. This is significantly more than social security or credit card numbers, which are priced between twenty-five cents to about $100. Hacking and ransomware have become big business and these organizations are increasingly focused on high value targets, such are healthcare organizations. Closing security gaps is crucial to avoid breaches and the resulting HIPAA fines.

As we watch the regulatory and security landscapes evolve, organizations must assume the burden of protecting their network and closing security gaps from medical and IoT devices. In good news, the industry is evolving rapidly and real progress is on the way. The FDA has released updated draft cybersecurity guidance, and the manufacturers are already changing to meet the new California cybersecurity standards for IoT devices. As we await increased regulatory rules and collaboration to shrink these gaps, make sure you evaluate your network and current devices so you can develop a plan to compensate for these security gaps.

At LMG, we offer compliance advisory services that deliver unbiased advice to help companies find the solutions that best fit their needs and budgets. Please contact us if we can help.