In September, the Federal Bureau of Investigation (FBI) released an alert regarding the risk of cyber-attack on outdated medical devices.
While it may sound like a science fiction scenario, the threat to the healthcare industry discussed by the FBI is frighteningly real. In a succinct industry notification, the bureau outlined a broad swath of risks to facilities, privacy, patient safety, and data storage. Older medical devices that have not been patched could be breached through software and hardware vulnerabilities.
Effective patient treatment means the use of medical devices for testing or care. Most patients do not question the devices used by healthcare providers, leaving patients vulnerable to damage wrecked by bad actors who hack the device or the healthcare system.
The FBI notes most medical device hardware has a lifespan of between 10 to 30 years. As we all know from smartphones, manufacturers push updates throughout the life cycle of a device. While smartphones are designed with cyber attack in mind, contemporary and legacy medical hardware and software now in use may not be designed with cyber safety in mind.
Points cited by the FBI include:
- One cybersecurity firm issued a report in January 2022 noting 53 percent of the connected medical devices and internet-dependent devices in hospitals had known, high-risk vulnerabilities. The technical and operational capabilities of the devices could be affected if those risks are exploited.
- Devices that are vulnerable to cyber attack or control by a hacker include pain pumps, pacemakers, mobile cardiac telemetry, defibrillators, insulin pumps, and more.
- Research from another cybersecurity firm suggests an average of 6.2 vulnerabilities in each medical device. While medical recalls flag some of these devices for a critical fix, older devices generally do not receive updates of software security patches.
The FBI recommends that healthcare providers employ a host of strategies to increase the security of devices and educate employees about device security threats and how to report them. Just some of the overall steps suggested by the FBI include:
- Endpoint security protection
- Timely identification and management of passwords
- Management and identification of devices, software, and operating systems
- Employee training to reduce and report risk
- Industry collaboration between providers and manufacturers to reduce risk
In March of 2022, the American Hospital Association offered support for a legislative bill titled the Protecting and Transforming Cyber Health Care Act of 2022 (PATCH Act). The legislation remains pending.
Many of us rely daily on devices and the Internet of Things (IoT). In a healthcare setting, the breach of a device could delay treatment, skew results, or cause serious injury or death. Patients assume devices and healthcare software are safe. The FBI alert underscores the risk to patients and providers who make assumptions about the security and safety of the devices upon which they rely.
Experienced medical malpractice lawyers fight for compensation on your behalf in Baltimore and Washington, DC
Schochor, Staton, Goldberg, and Cardea, P.A. represents patients and their families across the US. When your healthcare provider makes a mistake that results in serious injury, call 410-234-1000 or contact us today to schedule a free consultation.