In 2015 Forrester Research released their Cybersecurity predictions for the coming year. Prediction Number 1;
“We will see Ransomware for a Medical Device or Wearable”
That attack happened in April 2017 when the WannaCry Ransomware spread across the world, affecting over 200 countries.
Infecting nearly 300,000 Windows systems, WannaCry also hit hospitals, including the UK national health Service (NHS) and facilities in the US. Temporarily shutting-down health systems and restricting patients access to treatment, WannaCry’s impact on the Hospital Systems was particularly acute.
Alongside the impact to the hospital systems, numerous Medical Devices themselves were affected in the attack, with HITRUST identifying that its investigations found that MedRad (Bayer), Siemens, and other unnamed medical devices were infected.
Medical Device Vulnerability
Many hospital systems have in excess of 350,000 Medical Devices, excluding implantable devices that remain within patients. With most of these devices designed without security in mind, many have multiple vulnerabilities and ways in which they can be compromised by a hacker.
In August 2017, the FDA recalled it’s first Medical Device due to such a vulnerability. The recalled device, a pacemaker made by Abbott’s (formerly St. Jude Medical’s), was recalled as it was found to be vulnerable to cyber threats. Arising from an FDA investigation in February that year, the device highlighted areas of non-compliance, and was recalled as a preventative measure.
FDA Takes a Stronger Position on Cybersecurity
Just over a year later, and the FDA has taken steps to begin tackling the cyber-risks posed to Medical Devices.
As part of the Administration’s ongoing efforts to strengthen cybersecurity in healthcare, the U.S. Food and Drug Administration and the U.S. Department of Homeland Security (DHS) announced a memorandum of agreement to implement a new framework for greater coordination and cooperation between the two agencies for addressing cybersecurity in Medical Devices.
Alongside this, a new draft update to the pre-market guidance on Medical Device security gives manufactures a framework for how to best protect against risks, including ransomware campaigns that disrupt clinical operations, as well as exploits involving a remote, multi-patient attack.
With cyber-attacks resulting in life-threatening consequences, and with Medical Devices becoming ever-more-connected, the approval of new devices is sure to be impacted by increasing regulation, and more stringent testing.