According to Deloitte, medical devices have increasingly been the target of cyberattacks. Because these devices provide critical services, cybercriminals think healthcare companies will quickly pay a ransom. This uptick in medical device cyber incidents has disrupted supply chains, manufacturing processes and research that resulted in hundreds of millions in damages and reputation. At the same time, the pandemic accelerated medical IoT adoption to reduce in-person contact. In fact, IoT medical devices will almost quadruple in value by 2027.
Simply stated, medical device security requires device developers to not only integrate security best practices into their device designs, but also to ensure that those devices can be monitored and updated to keep them secure over their lifecycle.
Medical device security is possibly the most urgent security issue facing the healthcare industry currently. Medical device OEMs must utilize security tools and processes to prevent unauthorized access to or control of those devices and their associated data. And they must build in the capability to remotely send out firmware security updates reliably as threats emerge.
Because diagnostic medical devices such as MRI machines, CT scanners, and X-ray machines increasingly connect to networks, they’re vulnerable to the same hacking, malware, and ransomware attacks as other types of networked hardware.
According to some estimates, 20-30 billion medical devices in the U.S. are connected in the growing Internet of Things (IoT) landscape. These IoT medical devices include infusion pumps, insulin pumps, pacemakers, medical wearables and even ventilators. According to a Moody’s report, an IT security company reported an almost 10,000 percent increase in attempted attacks on healthcare customers between 2019 and 2020.
In the case of these medical devices, an attack can compromise a patient’s private data or even their health. Recent ransomware attacks resulted in patient deaths when an Alabama hospital was unable to use fetal heartbeat monitors after the devices had been hacked. That’s why the Food and Drug Administration (FDA) has established guidelines and requirements for connected medical devices security. Compliance with these regulations falls to manufacturers as well as healthcare providers.
In the United States, the Food and Drug Administration regulates medical devices and one of the FDA’s top cybersecurity priorities is the threat of ransomware on medical devices. However, medical device cybersecurity is the responsibility of both connected device manufacturers and suppliers as well as the healthcare organizations that use them, underlining that there may be security breaches anywhere in the medical environment.
Medical device manufacturers and healthcare organizations form the first line of defense in reducing cyberattacks on their devices. By incorporating some defensive measures and proactive monitoring, medical device manufacturers and healthcare associates can enhance the security of their devices while safeguarding the well-being of patients using their devices.
The issues with cyber security medical devices face is increasing over time, which makes these considerations imperative at every phase of the chain from development to end use. Here are some steps medical device manufacturers can take.
By the end of 2020, the healthcare industry paid around $20.8 billion in downtime — almost double 2019 amounts. In fact, the number of records affected in 2020 increased by 470 percent since 2019. Even worse, healthcare providers paid around $2.1 million in ransom for patient data.
Then in early in 2023, the FDA began requiring medical devices to meet specific cybersecurity guidelines which were written into law. To address growing medical device security vulnerabilities from cyberattacks on hospitals and internet-connected devices, all new medical device applicants now must share their plans for monitoring, identifying and managing cybersecurity issues. This is a major change from how medical device manufacturers must address the safety and security of their products from their conception, throughout their lifetime, until obsolete.
The new FDA medical device security requirement includes:
Additionally, the FDA now plans to refresh its medical device cybersecurity guidance every two years.
In Europe, MDR 2017/745 and IVDR 2017/746 cover the newest medical devices. The documents outline new essential safety and security requirements for all medical devices with programmable systems, as well as software medical devices.
The NIS2 Directive and GDPR legislative acts include the cyber security standards for medical devices and for managing personal patient data. Finally, the EU Cybersecurity Act includes a cybersecurity certification framework that promises to strengthen IT processes, products and services protections.
Internationally, two guidance documents outline basic cybersecurity principles for the life of the medical devices. First, the International Medical Device Regulators Forum drafted the Principles and Practices for Medical Device Cybersecurity. Then, the Medical Device Coordination Group published the EU MDCG 2019-16 Rev.1 Guidance on Cybersecurity for Medical Devices.
Because regulators hold medical device vendors accountable for security, interest in finding new ways to reduce medical device cybersecurity threats is growing. Keep an eye on these emerging technology trends:
There is no doubt that medical device security standards are important and will become increasingly so in the coming years. That’s why healthcare providers and medical device manufacturers alike should prioritize security as IoT medical device growth and demand grows.
To start, select a seasoned wireless and wired communication partner with deep expertise in IoT device security who understands medical device security best practices. That’s where Digi can help. Since 1985, Digi has been a pioneer in wireless and wired communications and provides end-to-end solutions across industries.
The Digi ConnectCore ecosystem is a complete suite of embedded modules, software, tools, and services. The ConnectCore platform provides connected solutions in highly regulated industries such as industrial and energy, medical, EV charging and banking where security is crucial.
A key component, our highly integrated system-on-modules, have unique benefits, including:
Let us help you with your medical device IoT security so you can confidently continue improving the health of your patients.