Healthcare News & Insights

Study: Medical device security isn’t well reported

Many medical devices connect to providers’ networks, meaning they could be vulnerable to security attacks, just like any other network-facing computing device. And according to one study, the government isn’t doing enough to track risks and enforce security. 

As health IT plays a bigger role in patient care, monitoring tools and other electronic medical devices are becoming more sophisticated. Often, that means they run complex software or use wireless connections to send data to be stored on a healthcare provider’s network.

While those devices have helped improve care, they’ve also added new risks — as any IT pro knows, software can contain security vulnerabilities, and once devices connect to a network, they can be hit with malware and other attacks from hackers. Those attacks can be used to steal data from the device, or use it as a backdoor to get to the rest of the provider’s network. Hackers can also seriously threaten patient safety by disabling or tampering with the device.

Security researchers have recently demonstrated the possibility of IT security attacks targeting medical devices. For example:

  • At a conference in 2011, one security researcher demonstrated an attack that could change the settings of an insulin pump without the user’s knowledge. He also found a way an attack could eavesdrop on transmissions from a glucose monitor.
  • The Department of Veterans’ Affairs conducted a study of malware infections and found 142 separate instances of malware affecting 207 medical devices between January 2009 and December 2011.

One reason those tools remain so vulnerable to security threats is that the U.S. Food and Drug Administration (FDA) doesn’t do enough to track security vulnerabilities in medical devices, according to a study published in PLOS ONE.

Researchers from Harvard Medical School, Beth Israel Deaconess Medical Center in Boston and the University of Massachusetts Amherst computer science department looked at nine years’ worth of data in public FDA databases used to evaluate recalls and adverse events involving medical devices.

What they found: While the databases contained a lot of information about labeling errors, battery problems and sterility issues, very little information related to IT security problems was found.

Without sharing public information about those threats, it’s more difficult to discover and correct them, researchers said. They recommended that the FDA create an easier reporting mechanism for medical device security problems, as well as add “safe harbor” provisions that prevent providers from being held liable after reporting issues.

Subscribe Today

Get the latest and greatest healthcare news and insights delivered to your inbox.