Just this summer, a cybersecurity firm issued a report widely cited in the media detailing cases where unnamed hospitals were allegedly hit by data breaches after medical devices (identified only generically as a blood gas analyzer, a picture archive and communications system (PACS), and an X-ray system) became infected with malware or backdoors that allowed hackers to move within the health care network. (See, e.g., computerworld.com).
In addition, the FDA issued a Safety Alert in May of 2015 about cybersecurity vulnerabilities in an infusion pump. While this Alert was preventative and not the result of any actual breach, it described a common cybersecurity risk for medical devices:
Many medical devices contain configurable embedded computer systems that can be vulnerable to cybersecurity breaches. In addition, as medical devices are increasingly interconnected, via the Internet, hospital networks, other medical device, and smartphones, there is an increased risk of cybersecurity breaches, which could affect how a medical device company operates. See fda.gov.
Notably, it is not usually an option to simply “disconnect” devices or otherwise disable their remote connectivity, as information transmitted remotely by medical devices to health care professionals can and does protect patient health. Additionally, medical device manufacturers do not control the hospital networks or health care organizations where their devices are used. Nor do they communicate directly with patients who use the devices.
Download the PDF to learn more!
Client Alert 2015-247