What can we do about medical device security?

Hospital Safety Insider, September 12, 2019

Want to receive articles like this one in your inbox? Subscribe to Hospital Safety Insider!

By Brad Smith

The infamous security vulnerabilities in medical internet of things (IoT) devices need no introduction. For the last few years, we’ve been hearing warnings from researchers about weaknesses in a range of connected devices from various manufacturers. The risks range from exposing patients’ sensitive data to outright hijacking of devices, with potentially lethal consequences.

There is no denying that medical IoT is a huge step for medicine, and many IoT devices are life-saving for patients. But we can’t overlook their obvious weaknesses and associated risks. What can patients, clinicians, and regulatory bodies do to improve the situation?

Patients can take action

Users have limited power when it comes to securing medical devices, but there are still some steps they can take to improve their safety.

For password-secured devices, it’s essential to set a new password as soon as possible. Manufacturers have been known to preinstall the same password on several device models, making them incredibly easy to hack. A good password is a random string of letters, digits, and characters—preferably generated by a password generator. If a device has a Universal Plug and Play (UPnP) feature, it’s best to simply disable it. UPnP allows IoT devices to discover and connect to other network devices. This gives hackers another avenue for infiltration.

Another simple technique for patients to protect connected devices is downloading a virtual private network (VPN) app for use with their home router. A VPN encrypts internet traffic and protects the data stream from snooping eyes—whether they’re hackers or just advertisers. VPN apps can be downloaded directly onto a smartphone, laptop, or tablet, but not most connected devices. Running a router’s traffic through a VPN helps to bypass that limitation as the VPN encrypts all of the router’s incoming and outgoing traffic, including the traffic generated by connected devices.

Unfortunately, this strategy only works with devices used at home, such as vital monitors or telehealth appliances. Any device situated outside the patient’s secure home network is still vulnerable to cyberattacks.

Clinicians’ role in ensuring safety

In an article in the February 2019 Journal of Emergency Medicine, researchers detailed the execution of three clinical simulations designed to teach clinicians to recognize and prevent patient harm from compromised medical devices. The physicians who were part of the study admitted to being completely unaware that a hacked device could harm the patient. This lack of awareness shows that clinicians are insufficiently equipped to  prevent patients being harmed by their medical devices.

Using connected devices in healthcare brings a whole new set of threats to patients’ health and introduces additional responsibilities for clinicians working with these technologies. Healthcare organizations need to educate clinicians on the kind of risks that medical IoT devices carry and the necessary steps to take should the worst happen.

Clinicians must be able to recognize when a device malfunctions. As soon as an error is identified, it’s important to stop using the device to prevent possible harm and report the incident through the appropriate channels.

Healthcare organizations need to also ensure that connected medical devices used in their facilities have the latest software. Software updates are a way for manufacturers to patch any existing security vulnerabilities, so these updates are essential in ensuring patient safety.

We need regulatory change

Cybersecurity awareness from both healthcare organizations and patients goes a long way. However, the most important change needs to come from regulatory bodies.

Manufacturers famously underplay the security vulnerabilities of their devices and try to convince patients that the devices’ benefits outweigh their risks. It would be naive to hope that manufacturers will implement top-quality security testing without a legislative push.

There are three main areas of product design and manufacturing that need to be regulated with stricter laws. First is authentication: issuing certificates for healthcare devices to make sure only authorized users, messages, or services have access to the device. Second is encrypting all devices by default so information can pass privately between the patient and the authorized healthcare organization. Patients shouldn’t need to pay for and install a VPN service to be protected. Lastly, there should be a system in place to run automatic checks on every device and ensure their integrity is always up to date.

This year, the FDA released the Medical Device Safety Action Plan, likely in response to a flood of complaints about insufficient regulations. The document outlines a plan to “explore regulatory options to streamline and modernize timely implementation of postmarket mitigations,” which is promising but vague. Time will show what these regulations will look in practice.

The future of connected medical devices

IoT is here to stay, and we’ll only see more devices that use it. There’s no denying that connected medical devices have a huge potential for saving lives. But we need to ensure we’re not opening up an avenue to harm patients in the process.

The ideal future would bring a combination of stricter regulations, more thoughtful manufacturing, better clinician training, and greater involvement from healthcare organizations.

Brad Smith is a technology expert at TurnOnVPN, a nonprofit promoting a safe, secure, and censor-free internet. He writes about his dream for a free internet and unravels the horror behind big techs.

Want to receive articles like this one in your inbox? Subscribe to Hospital Safety Insider!

    Hospital Safety Center
  • Hospital Safety Center

    Improve compliance with hospital safety standards from The Joint Commission, OSHA, and other regulators with this...

  • Healthcare Life Safety Compliance

    Created exclusively for healthcare facility managers, plant operations professionals, and directors of engineering, this...

  • Hospital Safety Insider

    Stay on top of hospital safety requirements and best practices with our free, fast-paced weekly update.

  • Basic OSHA Compliance Manual Kit

    Total compliance has never been easier. This one convenient package contains everything you need to ensure your outpatient...

  • Basic Dental OSHA Compliance Manual Kit

    Total compliance has never been easier. This one convenient package contains everything you need to ensure your dental...

Most Popular