Published January 5, 2024

Protecting Medical Devices from Cyber Threats

In the era of interconnected medical devices, such as heart monitors and insulin pumps, the ability to track real-time patient data through connected networks has become a standard practice for healthcare professionals. However, a recent watchdog report from the U.S. Government Accountability Office (GAO) emphasizes the need for federal agencies to update their cybersecurity agreement to safeguard these vital medical tools.

The report underscores that while cyber-attacks on medical devices are not common, they have the potential for severe consequences. A breach could lead to delays in critical patient care, expose sensitive data, disrupt healthcare provider operations, and necessitate costly recovery efforts.

Jennifer Franks, Director of GAO’s Center for Enhanced Cybersecurity, highlights the urgency of the matter, stating, “If a physician were operating on a patient in an operating room and an attack happened, that patient would be losing minutes upon minutes of getting that provided service that they need.”

According to the report, as of January 2022, 53 percent of connected medical devices and devices within hospitals had known critical vulnerabilities. The Food and Drug Administration (FDA) and the Cybersecurity and Infrastructure Security Agency (CISA) established an agreement to outline practices for protecting medical device cybersecurity. However, the report points out that this agreement has not been updated in the last five years.

Franks emphasizes the need for accountability and participant identification in these agreements, stating, “What this could really help the agencies to do is to just better monitor and assess and even communicate progress short or long term so if a vulnerability did take place, where are you going to get your information and who is going to be leading said information.”

In response to the report, Stephen Hughes, Director of Health Information and Technology Policy for the American Hospital Association, acknowledges the collaboration between FDA and CISA but urges careful consideration of the clinical, operational, and financial challenges hospitals face when older medical devices become vulnerable to cyber threats.

Hughes notes, “Given that many of these devices, such as heart monitors and infusion pumps, are critical components to delivering care, any disruption to the device or the system supporting those devices could put a patient directly at risk.”