Protecting Medical Devices against Cyberthreats

Over the past year, several events have given legs to the growing body of concern over the potential for medical devices to be compromised by hackers. Security tests of various devices by expert hackers and security laboratories have shown that a range of devices, from implantable insulin pumps to defibrillators, pacemakers, and other medical electronics, are vulnerable to hacking. The potential for such hacking to compromise a medical device recently became reality by the spread of a malware virus, “WannaCry” ransomware, that was able to compromise a variety of medical equipment such as imaging systems and dye injectors (Wired. Published March 2, 2017.).

What has emerged is the need to protect medical devices against a two-fold cyberthreat. First is the need to protect individual patients from the potential for harm if the device itself is compromised, such as a hack into an insulin pump that resets the device to administer a fatal dose of insulin to the patient. Second, systems must be protected against being hacked through the portal of a medical device, an easy entry point to a hospital network that could lead to stealing medical records.

To that end, a number of government and non-government agencies are working together to address these risks and ultimately protect patients while securing their privacy.

Risk to Otolaryngologic Devices

Although no known vulnerability risk has been detected in medical devices used in otolaryngology, such as cochlear implants and hearing aids, the potential exists for such vulnerability.

“Any medical device that can be connected through wired or wireless means to an external device, typically for the purpose of changing control settings, can conceivably be hacked,” said Stephen L. Grimes, managing partner at medical technology consulting firm Strategic Healthcare Technology Associates, based in Swampscott, Mass. “The external device might be a controller, a computer, a thumb drive, or other remote storage device,” he added.

To date, however, no specific cybersecurity concerns have been reported for devices used by otolaryngologists, and concern over this issue is not yet widespread among the specialty, according to Kenneth H. Lee, MD, PhD, chair of the American Academy of Otolaryngology Head & Neck Surgery (AAO-HNS) Medical Devices and Drugs Committee.

He believes that the security risk to current technologies used for cochlear implants and hearing aids, such as the use of Bluetooth streaming from smart phones to adjust settings, is limited. “I don’t think there is significant concern about individuals desiring to randomly access settings of a patient’s implant or hearing aid,” he said.

For Dr. Lee, the advances in technology for otolaryngology devices are only a “big plus,” from both the patient and provider standpoints. “Having a smart phone and being able to adjust your hearing on your smart phone is a huge plus for patients and something they appreciate and find very valuable,” he said.

Any medical device that can be connected through wired or wireless means to an external device, typically for the purpose of changing control settings, can conceivably be hacked. —Stephen L. Grimes, Strategic Healthcare Technology Associates

Although the vulnerabilities of these devices to hacking is not yet on his or the Academy’s radar, he emphasized that it is something “we need to be judicious about moving forward.”

The Need for Awareness

For Grimes and other security experts who regularly consult with medical and government entities in developing guidance on cybersecurity, educating providers on the potential risks to medical devices is a top priority when it comes to helping ensure their safety. “Practitioners, including otolaryngologists, need to know that today’s new technologies often bring new cyber vulnerabilities,” he said. “To ensure safe use of the new technologies, practitioners should question security and clinical engineering experts to verify that all stakeholders in the process understand the issue and are taking the appropriate precautions.”

Scot Copeland, a medical IT network risk manager at Scripps Health in San Diego, also emphasized the need for otolaryngologists, along with all providers, to be aware of cybersecurity issues in their own environment. “The cybersecurity issues aren’t as prevalent in the ENT discipline as elsewhere, but the basics still apply, and awareness is key to identifying the issues as new products and implementation arise,” he said.

An example of a new technology that addresses these new cybersecurity concerns is the new Nucleus 7 Sound Processor for cochlear implants, manufactured by Cochlear Ltd. and approved by the FDA in June 2017. According to Jan Janssen, senior vice president of research and development at Cochlear, the processor is designed to prevent unauthorized use of the device, or a malicious attack on it. Janssen also emphasized that the processor “had to meet the applicable cyber security guidelines” by various regulatory bodies around the world to obtain approval.

Among the basics of cybersecurity that otolaryngologists and other providers should pay attention to are such things as using strong passwords, keeping software and operating systems as up to date as possible, using anti-malware where possible, replacing older equipment that can’t be kept current, and following manufacturer guidance on safety and security. In other words, “adhering to proper cybersecurity hygiene,” he said.

---

Mary Beth Nierengarten is a freelance medical writer based in Minnesota.