Cybersecurity for medical devices
By Rosemary Sparacio

Share this article:  

The issue of cybersecurity in the medical and healthcare field was first discussed when it was still in its infancy in 2005. At that time, during a Medical Product Safety Network Conference, companies that were interested in providing off-the-shelf software, or were in the medical-device manufacturing business, were offering information and trying to present the possible scenarios and options for their products related to product and patient safety.


Are you worried about the cybersecurity of your organization's equipment?
  • 1. Yes
  • 2. No

The necessary precautions in the cybersecurity field, started with securing patient's personal heath information. A computer game, Cybersecure: Your Medical Practice, taught staff in medical practice offices about data security procedures, compliance and how to learn to implement data safeguards whenever and wherever it is most convenient for everyone involved. But at that time, it did not address what became a larger security risk.

Since then, technological advances have required the U.S. Food and Drug Administration (FDA) and others to be much more proactive and involved in the process. And this process must include everyone: the FDA, the medical device manufacturers, the IT users (those who actually use the devices) who are mostly in hospitals and doctor's offices, and the independent IT providers, (those who provide the software) such as the IBMs, Microsofts and Ciscos of the world, among a whole host of others.

Recently, in an effort to see how vulnerable software-driven devices actually are, two security analysts tested equipment from surgical and anesthesia devices to patient monitors and laboratory analysis software. They decided to stop their test and alert the federal government to what they had done when they had accessed 300 restricted passwords.

In one instance, The Wall Street Journal reported that a VA catheterization laboratory in New Jersey was temporarily closed after malware infected the lab's computer devices. The story also mentions a Florida VA hospital in which 104 devices were infected with the Conficker virus and another case involved a GE radiology device at Beth Israel Deaconess Medical Center in Boston that stored mammography images and patient information. It became infected when a GE technician connected the device to the Internet. Some of the other kinds of devices that were affected by these malware and virus infections also included X-ray devices and gamma cameras for nuclear medicine studies.

As a result, the FDA in June issued a new safety communication to recommend that "medical device manufacturers and healthcare facilities take steps to assure that appropriate safeguards are in place to reduce the risk of failure due to cyberattack." The guidance spells out the recommendations for healthcare facilities, device manufacturers and the FDA itself, along with what is expected of each entity, regarding the reporting of who, what, when and where potential risk issues surface, involving medical devices currently in use.

It is the hope and expectation that the gathering of this information, in addition to solving the problems as they occur, will give device manufacturers and software developers the information needed to improve the devices and the processes in the future.

Rosemary Sparacio is a freelance medical and technical writer, and she substitute teaches in her current home in South Carolina. Rosemary has always been involved in healthcare and education, starting out in the lab as a med tech and in R&D. Her career lead her to teaching microbiology at a community college, while working in the pharmaceutical industry for Pfizer.