Effectively Addressing Cybersecurity Breaches in Medical Devices (Part 2 of 3)
The Inherent Risks, Impacts of Security Decisions, and Practical Approaches – Cybersecurity and Attacks on Medical Devices
Continuing from our prior post in this three-part series on effectively addressing cybersecurity breaches in medical devices, this second post will focus on specific examples of cybersecurity attacks on medical devices.
Cybersecurity and attacks on medical devices
If you have turned on the television, read the news, or listened to the radio recently, you have heard that cybersecurity threats are something we all have to be concerned about. We hear about data breaches affecting the disclosure of personal financial information or breaches into the nation’s military weapons system. But in the context of medical devices, cybersecurity is the process of preventing a breach or unauthorized user from gaining access, modifying, misusing, or denying use to information that is stored, accessed, or transferred from a medical device to an external recipient.[i]
Unlike breaches into military systems, where we trust the government is initiating measures to safeguard the general public from threats and direct attacks, the threat to cybersecurity attacks in healthcare is very real, wide-spread, and right in our backyards. There have been numerous real and fictional examples of medical devices falling victim to a cybersecurity attack. A recent study revealed that ninety-four (94) percent of healthcare institutions reported being victims of cyber-attacks.[ii]
Below are some real-life examples of actual medical devices falling victim to a cybersecurity attack:
- August 12, 2011: Hacking into an insulin pump. While the hacking was done as a presentation at a security conference, the presenter showed how to hack into his own insulin pump, albeit it required security expert knowledge and fairly close proximity to the pump. However, the presentation, even back in 2011, brought back to the limelight whether manufacturers of medical devices were taking the necessary security measures to protect its consumers/patients and the devices from an attack.[iii]
- April 25, 2014: Article explores and/or exposes the vulnerabilities of hospital equipment and their high susceptibility to being hacked, including, but not limited to insulin pumps, defibrillators, and hardcoded passwords in medical devices, used at a large chain of Midwest health care facilities.[iv]
- February 2015: Anthem, Inc. attacked by hackers who obtained data that may have exposed 80 million customers’ personal information. A lawsuit is pending in the Northern District of California, the consolidated complaint alleging that the hackers stole income tax refunds and placed false charges on their credit cards.[v]
- June 1, 2015: Court dismisses claim arising out of a data security breach by Amazon.com (Zappos.com), because the victims lacked standing to sue when they could not identify any specific harm that they had sustained as a result of the a data breach that occurred 3.5 years prior.[vi]
- July 31, 2015: FDA issues alert for healthcare facilities to discontinue the use of Hospira Symbiq Infusion System due to cybersecurity vulnerabilities. In other words, as the FDA’s statement set forth, the Hospira system could be accessed remotely through a hospital’s network, giving an unauthorized user access and control to the device and change the dosage of general infusion therapy the pump delivers.[vii]
- June 2016: Hacker gains access to 397,000 patient records from the internal network of a large database in Georgia, 210,000 patient records from a database somewhere in the Midwest (retrieved from a ‘severely misconfigured network’), and 48,000 records located in Farmington, Missouri.”[viii] The hacker then put the information up for sale at around $485K. This is just one of many recent “ransomware” stories, which is a category of malicious software (“malware”) that encrypts a user’s disk drives and demands some form of compensation in return for critical data held hostage, which have occurred recently.[ix]
For best practices on how to prepare, mitigate, and otherwise manage vulnerabilities and potential cybersecurity attacks, stay tuned for part three of this series coming soon. Read part one of this series on navigating the medical device field and vulnerabilities of medical devices here.
[i] U.S. Food and Drug Administration, Content of Premarket Submissions for Management of Cybersecurity in Medical Devices, Guidance for Industry and Food and Drug Administration Staff, October 2, 2014.
[ii] Barbara Filkins, Health Care Cyberthreat Report: Widespread Compromises Detected, Compliance Nightmare On Horizon, SANS Institute, February 2014.
[iii] Morgan E. Peck, Medical Devices Are Vulnerable to Hacks, But Risk Is Low Overall, August 12, 2011.
[iv] Kim Zetter, It’s Insanely Easy to Hack Hospital Equipment, April 25, 2014.
[v] Carolyn Purwin Ryan, Cyber Security Vulnerabilities: Is Your Medical Device At Risk?, January 2016.
[vi] Id.
[vii] Id.
[viii] Chris Nerney, Hacker puts 10 million stolen health records up for sale, June 30, 2016.
[ix] Health Held Hostage: Ransomware in the Health Care Industry, May 26, 2016.
Cybersecurity Check-Up: Always A Good Time To Prepare to Protect ...
All Claims Means ALL: The PREP Act Provides Immunity in COVID-19 Vaccination Case ...
About Drug / Device Law Blog
Baker Sterchi's Drug / Device Law Blog examines topics and legal developments of interest to the drug and device industry. Learn more about the editor, Paul Penticuff, and our Drug and Device practice.
Subscribe via email
Subscribe to rss feeds
RSS FeedsABOUT baker sterchi blogs
Baker Sterchi Cowden & Rice LLC (Baker Sterchi) publishes this website as a service to our clients, colleagues and others, for informational purposes only. These materials are not intended to create an attorney-client relationship, and are not a substitute for sound legal advice. You should not base any action or lack of action on any information included in our website, without first seeking appropriate legal or other professional advice. If you contact us through our website or via email, no attorney-client relationship is created, and no confidential information should be transmitted. Communication with Baker Sterchi by e-mail or other transmissions over the Internet may not be secure, and you should not send confidential electronic messages that are not adequately encrypted.
The hiring of an attorney is an important decision, which should not be based solely on information appearing on our website. To the extent our website has provided links to other Internet resources, those links are not under our control, and we are not responsible for their content. We do our best to provide you current, accurate information; however, we cannot guarantee that this information is the most current, correct or complete. In addition, you should not take this information as a promise or indication of future results.
Disclaimer
The Drug / Device Law Blog is made available by Baker Sterchi Cowden & Rice LLC for educational purposes only as well as to give you general information and a general understanding of the law, not to provide specific legal advice. Your use of this blog site alone creates no attorney client relationship between you and the firm.
Confidential information
Do not include confidential information in comments or other feedback or messages related to the Drug / Device Law Blog, as these are neither confidential nor secure methods of communicating with attorneys. The Drug / Device Law Blog should not be used as a substitute for competent legal advice from a licensed professional attorney in your state.