The U.S. Food and Drug Administration (FDA) warned this week that a number of insulin pumps from Medtronic MiniMed might be at risk of a cybersecurity breach, going as far as to warn patients to switch devices—"Medtronic is recalling affected MiniMed pumps," the FDA said, "and providing alternative insulin pumps to patients."
A full list of affected models can be found with the warning. The affected models cannot be updated and need to be replaced, even though "the FDA is not aware of any reports of patient harm related to these potential cybersecurity risks."
Insulin pumps provide patients with the regular insulin needed throughout the day and night. According to Medtronic, "the vulnerability allows a potential attacker with special technical skills and equipment to potentially send radiofrequency (RF) signals to a nearby insulin pump to change settings, impacting insulin delivery. This change could result in a patient experiencing hypoglycemia (if additional insulin is delivered) or hyperglycemia (if not enough insulin is delivered)."
In a statement, Suzanne Schwartz from the FDA’s Center for Devices and Radiological Health said that "while we are not aware of patients who may have been harmed by this particular cybersecurity vulnerability, the risk of patient harm, if such a vulnerability were left unaddressed, is significant."
This is not an isolated incident. With ever more medical devices being online, the vulnerabilities have increased significantly. And as we shift to IoT and wearables, this will only get worse. The FDA "allows devices to be marketed when there is a reasonable assurance that the benefits to patients outweigh the risks," but acknowledges that the increase in connectivity, while improving healthcare, also increase the risks—"medical devices, like other computer systems," the FDA cautioned, "can be vulnerable to security breaches, potentially impacting the safety and effectiveness of the device."
The challenge of securing medical devices is the same as with all high-volume connected endpoints. An endpoint is a potential vulnerability. Deloitte describes "networked medical devices and other mobile health (mHealth) technologies" as a "double-edged sword—they have the potential to play a transformational role in health care but also may be a vehicle that exposes patients and health care providers to safety and cybersecurity risks such as being hacked, being infected with malware and being vulnerable to unauthorized access."
Clearly, with medical devices, this could carry immediate consequences. "Patient safety issues—injury or death—related to networked medical device security vulnerabilities are a critical concern; compromised medical devices also could be used to attack other portions of an organization’s network," warns Deloitte.
The cybersecurity risk that has generated most headlines in healthcare relates to patient data, rather than devices. This week, it was reported that the AMCA healthcare data breach could set a new precedent. "It now appears that over 20 million patients have been affected," reported CPO Magazine, "including nearly 12 million patients of Quest Diagnostics, 7.7 million patients of LabCorp, and over 422,000 patients of BioReference Labs... The sheer size and scope of this AMCA healthcare data breach would make it one of the biggest ever, with the potential for significant risk for AMCA and the affected companies."
Also this week, the U.S. Senate warned that the number of cyber incidents reported by federal agencies has materially increased, and in 2017 "federal agencies reported 35,277 cyber incidents," highlighting health-related data as of particular concern.
In the meantime, the usual advice applies as to any device. Keep firmware updated. Be aware when connecting to unfamiliar networks. Check for product warnings where those devices perform a critical function.
Source - Forbes available here