Cybersecurity for Medical Devices


In 2015 Forrester Research released their Cybersecurity predictions for the coming year. Prediction Number 1;

“We will see Ransomware for a Medical Device or Wearable”

That attack happened in April 2017 when the WannaCry Ransomware spread across the world, affecting over 200 countries.

Infecting nearly 300,000 Windows systems, WannaCry also hit hospitals, including the UK national health Service (NHS) and facilities in the US. Temporarily shutting-down health systems and restricting  patients access to treatment, WannaCry’s impact on the Hospital Systems was particularly acute.

Alongside the impact to the hospital systems, numerous Medical Devices themselves were affected in the attack, with HITRUST identifying that its investigations found that MedRad (Bayer), Siemens, and other unnamed medical devices were infected.

Medical Device Vulnerability 

Many hospital systems have in excess of 350,000 Medical Devices, excluding implantable devices that remain within patients. With most of these devices designed without security in mind, many have multiple vulnerabilities and ways in which they can be compromised by a hacker.

In August 2017, the FDA  recalled it’s first Medical Device due to such a vulnerability. The recalled device, a pacemaker made by  Abbott’s (formerly St. Jude Medical’s), was recalled as it was found to be vulnerable to cyber threats. Arising from an FDA investigation in February that year, the device highlighted areas of non-compliance, and was recalled as a preventative measure.

FDA Takes a Stronger Position on Cybersecurity

Just over a year later, and the FDA has taken steps to begin tackling the cyber-risks posed to Medical Devices.

As part of the Administration’s ongoing efforts to strengthen cybersecurity in healthcare, the U.S. Food and Drug Administration and the U.S. Department of Homeland Security (DHS) announced a memorandum of agreement to implement a new framework for greater coordination and cooperation between the two agencies for addressing cybersecurity in Medical Devices.

Alongside this, a new draft update to the pre-market guidance on Medical Device security gives manufactures a framework for how to best protect against risks, including ransomware campaigns that disrupt clinical operations, as well as exploits involving a remote, multi-patient attack.

With cyber-attacks resulting in life-threatening consequences, and with Medical Devices becoming ever-more-connected, the approval of new devices is sure to be impacted by increasing regulation, and more stringent testing.


Science In Images: the History of Spacelabs

Back in February, I made the decision to join a Medical Device company, based just outside of Seattle; Spacelabs.

Founded in 1958 by two scientists, the company developed cardiac monitoring and telemetry systems for NASA, which were used to monitor astronauts’ vital signs during the Gemini and Apollo space missions, culminating in Neil Armstrong wearing Spacelabs medical telemetry for the first moon landing in 1969.

That technology was the beginning of the equipment that Spacelabs makes today, focusing on patient care in the monitoring and cardiology space.

As with all jobs, it has its problems, but I feel lucky to get to work on innovative equipment that saves lives.

Content reproduced from Spacelabs Healthcare