Skip to main content
class com.aha.ucm.component.cis.TagListPageData=[,docNativeURL=null,docName=UCM_504887,docStatus=RELEASED,dOutDate=null,docSSFileName=UCM_504887_FIT-Insights-Cybersecurity-in-medical-devices-What?s-required-to-ensure-patien.jsp,docTitle=FIT Insights: Cybersecurity in medical devices: What?s required to ensure patien,xWebsites=professional,dDocAuthor=stacy.ragsdale,xNextReviewDate=null,xTier1=,xFeaturedItem=Yes,xElectronicRegistration=No,UserLocale=null,xSubCategory=,dpEvent=null,xComments=Author: Christopher Cook, MD | In May 2017, the WannaCry ransomware cyberattack was unleashed, quickly infecting tens of thousands of computers in more than 100 countries.,NoHttpHeaders=null,UserTimeZone=null,xRegionDefinition=GENERIC_RD_COL_1,xVideoRenditions=,xSnippetItem=,xNotes=blog post,UserDateFormat=null,encodeDocUrl=null,isDocProfileDone=null,xKeywords=FIT, FIT Insights, blog post, cybersecurity,xTier2=,refreshSubMonikers=null,xEditorStepReassignedUsers=null,xLinkTextToDisplay=,dDocAccount=WCM/SOP/SMD,xEndDateTime=null,xClbraAliasList=null,ClientEncoding=null,xCpdIsLocked=0,xUsageRightsDate=null,xModifyDate=09/15/2019 11:51 PM,xTier3=,xEventDate=null,dSubscriptionType=null,xCopyright=No,xPackagedConversions=,dSubscriptionAlias=null,xStorageRule=,dpName=null,xDepartment=Science Operations - NC,dStatus=RELEASED,dPublishType=,xCopyrightDetails=,xSubType=64,isDocProfileUsed=null,xWebsiteObjectType=Data File,xWebFlag=,xSeeAlsoLinks=,xClbraUserList=null,xPartitionId=,xCpdIsTemplateEnabled=0,xLinkWebAddress=,xDontShowInListsForWebsites=,xStartDateTime=null,dInDate=09/15/2019 11:38 PM,xWebsiteSection=professional:1526,dDocName=UCM_504887,dpAction=null,dRevLabel=1,dSecurityGroup=AHAMAH-Public,xCategory=,refreshMonikers=null,xDamConversionType=,dDocFormats=null,xAssociatedImage=,dDocType=SingleColumn,xBusinessOwner=Business Owner,xUploadDate=null,xDiscussionCount=0,xMainFlowEntryCriteria=True,xItemInformation=,xUsageRights=,xDiscussionType=N/A,xRecipeTaxonomy=,dSubscriptionID=null,dOriginalName=UCM_504887.xml,xProfileTrigger=SingleColumn,dLocation=,dRevisionID=1,dPublishState=,dReleaseState=Y,xTrashDeleter=null,dMessage=,dWebExtension=xml,dExtension=xml,dProcessingState=Y,xTrashDeleteName=null,dIsCheckedOut=0,xForceFolderSecurity=null,dRevClassID=504887,dIsPrimary=1,dFileSize=9348,dIndexerState=,dFlag1=,xviaAddNewContentService=,dIsWebFormat=0,xCollectionID=null,dRevRank=0,xReadOnly=null,dCheckoutUser=,dFormat=Application/xml,dWorkflowState=,dDocID=1903009,dRendition2=,dRendition1=,xInhibitUpdate=null,dReleaseDate=09/15/2019 11:52 PM,xTrashDeleteLoc=null,dCreateDate=09/15/2019 11:51 PM,xHidden=null,labelTier1=MembershipCouncils,labelTier2=BlogsSocialMedia,labelTier3=,labelTier4=,mobileNavURL=DEFAULT2_VALUE_FROM_getDataForAdvanceSearch,xContactPhoneNumber=,xContactEmailAddress=,xContactName=,xATGRolesDisciplines=,xPublishDate=09/15/2019 5:00 AM,xRobotParameter=,xCommunities=,xMembershipLevel=,rsCalories=null,rsSodium=null,rsRecipeTaxonomy=null,rsServings=null,rsTotalTime=null,rsTotalFat=null,rsTotalCarbs=null,rsFeaturedImage=null,xDisplayComments=

FIT Insights

Cybersecurity in medical devices:

What’s required to ensure patient safety

In May 2017, the WannaCry ransomware cyberattack was unleashed, quickly infecting tens of thousands of computers in more than 100 countries1. Infected computers displayed a message that the system’s files had been encrypted and demanded a ransom be paid to unlock them. This cyberattack exposed vulnerabilities in many healthcare systems around the world. Most notably, the attack disrupted the United Kingdom’s National Health Service, resulting in cancellation of about 20,000 clinic visits. During this attack, there were also some of the first reports of medical device infection in the United States. Although no direct patient harm occurred, this highlighted the need to improve cybersecurity in medical devices.

Ensuring adequate cybersecurity in medical devices is essential to patient safety. Modern medical devices frequently allow connection to the internet and it is easy to see how some medical devices – such as implantable cardioverter defibrillators (ICDs), left ventricular assist devices, insulin and other infusion pumps – could cause direct patient harm if dysfunctional.

Currently, the Food and Drug Administration (FDA) is in the process of updating its pre-market guidance regarding the design and labeling of medical devices with cybersecurity risk. One key facet of the proposed update is the separation of medical devices into two tiers of cybersecurity risk. “Tier 1” devices are those capable of connecting to the internet or other devices and of causing direct patient harm. The aim is to explicitly identify higher-risk devices needing more extensive cybersecurity safeguards. Another proposed change to pre-market guidance would recommend inclusion of a cybersecurity “bill of materials”. This document would contain a precise catalog of the hardware and software components of a device that could have implications for cybersecurity. Currently, it’s often difficult or impossible for healthcare systems to determine what hardware and software components are contained in a medical device. This lack of knowledge is a key barrier to the development of adequate protections against cyberattack.

So how should this affect patient care? First, patients and clinicians must recognize that cybersecurity threats are likely to increase in frequency and sophistication and that addressing vulnerabilities in medical devices is a necessary component of longitudinal patient care. There should be a shared expectation about the potential need for device updates throughout the device’s lifecycle because there will be challenges ahead. Medical device software updates have the potential to cause unexpected device behavior or overt dysfunction. This will necessitate a discussion of the risks and benefits of performing device software updates in some cases. This will be unfamiliar terrain for most clinicians and patients, and it will be challenging for clinicians to lead discussions on this topic. Research into optimal communication strategies and patient preferences will be helpful.

Thankfully, there have not been reports of a cyberattack on medical devices resulting in direct patient harm. This will inevitably occur if we do not make continued efforts to improve medical device cybersecurity.

Reference

  1. “WannaCry Ransomware: What we know Monday”, Bill Chappel, 15 May, 2017. https://www.npr.org/sections/thetwo-way/2017/05/15/528451534/wannacry-ransomware-what-we-know-monday

Author

Christopher Cook, MD

Dr. Christopher Cook is a general cardiology fellow at the University of South Florida in Tampa, FL. He volunteers as a fellow-in-training blogger for Professional Heart Daily.