Medical devices such as pacemakers and infusion pumps are increasingly coming under scrutiny for being susceptible to cybersecurity attacks.
But how does a hospital know if it is buying a device at risk of being hacked?
Even if the device is approved by the Food and Drug Administration, it’s just about impossible for a hospital to be certain that it is secure, according to Mike Kijewski, CEO of MedCrypt, a company that builds security features into medical devices.
Because of this, more hospitals are demanding that devices include security requirements upfront, he said.
“We really see this becoming part of decision-making criteria,” he said. “Sales are being made or lost based on security.”
Case in point is a security researcher who in 2016 found vulnerabilities in St. Jude Medical pacemakers. A year later, the FDA and Homeland Security issued an alert for about 465,000 pacemakers from St. Jude, owned by Abbott, and a firmware update to close the security flaw of the radio frequency communication devices.
The company’s stock value dropped.
“The most interesting thing, this was a great demonstration of how a company can suffer financially,” Kijewski said.
Also in 2017, the FDA issued a recall of the St. Jude implantable cardioverter defibrillators and cardiac resynchronization therapy defibrillators due to premature battery depletion.
Lawsuits included one from Humana to recoup payments it made for the devices.
There have been a couple of cases of ransomware in which imaging equipment was the entry point, according to Kijewski. And then there the attack on a casino in which hackers got in by manipulating a fish tank thermometer.
“The biggest areas now of concern are medical devices,” said Cheryl Martin, chief knowledge officer for the American Health Information Management Association. “The medical device industry is well aware, there is a good coordinated effort. Everything is just a small computer now.”
The next target is just about anything that plugs in and is wireless, including smart fridges, printers, phones and, yes, Alexa, Siri and Google Assistant, all of the latter already under scrutiny for privacy concerns.
“With the IoT [internet of things], it’s anybody’s guess. Every something that comes on the market is in essence its own small computer with an ability to find its way into something,” Martin said. “I guaranteed Alexa and Siri is on the horizon.”
Date: August 23, 2019
Source: Healthcare Finance News