Medical Devices Provide Cyber Attack Opportunities

The healthcare industry is increasingly relying on medical devices that use outdated software and lack adequate security features. In 2022 and FBI report identified an alarming increase in the number of vulnerabilities posed by unpatched and outdated medical devices. Clearly, cyber threat actors exploiting medical device vulnerabilities have the potential to adversely impact healthcare facilities’ operational functions, patient safety, data confidentiality, and data integrity.

The vulnerabilities of medical devices predominantly stem from device hardware design and device software management. Many devices are simply too old to have addressed today’s security concerns but others were pushed to market without security in the first place.

To be honest, speed to market is a primary concern for companies. Implementing security at the early stage is seen as an unnecessary waste of precious time. ‘Security can be put in after we launch the product’ is a thought I’ve heard in many a boardroom discussion over the years. That is specifically true but often it comes at twice the cost and takes more effort. At that point, the argument often changes to ‘Lets run this version out … the next version will have more security.’

The FBI report highlights that “53% of connected medical devices and other internet of things (IoT) devices in hospitals had known critical vulnerabilities. Approximately one-third of healthcare IoT devices have an identified critical risk potentially implicating technical operation and functions of medical devices.”

Are medical devices a security risk?

Do you have one of these devices in the home?

The Internet of Things (IoT) concerns includes more and more medical devices. With the increase of in-home medical equipment, this is a real concern. Many of these devices “call home” for instructions, updates, reporting, and other functions. Depending on the vulnerability, these devices can be stopped, told to act improperly, or even used as an attack platform against other devices. Each of these items on the local network is a small computer. Just like any computer, they can be used as a jumping off point in an attack. It seems laughable that your refrigerator is used to attack and stop Uncle Joe’s pacemaker but it’s not impossible. Medical devices that are susceptible to cyber-attacks include insulin pumps, intracardiac defibrillators, mobile cardiac telemetry, pacemakers, and intrathecal pain pumps.

Can we regulate out of this?

I am not a huge fan of government regulations. They seem to lead to a bloated government bureaucracy that no one really understands well and stifles innovation. However, lack of controls leads to companies manufacturing good that do not have the customer’s best interests in mind. Clearly, speed to market is more of a driver than solid and secure ground-up development or we wouldn’t really be in this situation in the first place.

We may see an increase in regulation as a new law will take effect today. Signed in late 2022, the $1.7 trillion omnibus appropriations bill includes provisions for the FDA to ensure that medical devices adhere to cybersecurity standards before being released to the market. The law also mandates that medical device manufacturers maintain “adequate post-market surveillance” to monitor risks associated with hardware and software of their devices.

Of course, it remains to be seen what “adequate” means.


Paul Bergman runs a business strategy and cybersecurity consulting company in San Diego. He writes on cybersecurity and board management for both corporate and nonprofit boards.

Verified by MonsterInsights