More on Quality and Safety

Hospitals are demanding secure medical devices before they buy

The IoT: "Every something that comes on the market is in essence its own small computer with an ability to find its way into something."

Susan Morse, Managing Editor

Medical devices such as pacemakers and infusion pumps are increasingly coming under scrutiny for being susceptible to cybersecurity attacks.

But how does a hospital know if it is buying a device at risk of being hacked?

Even if the device is approved by the Food and Drug Administration, it's just about impossible for a hospital to be certain that it is secure, according to Mike Kijewski, CEO of MedCrypt, a company that builds security features into medical devices.

HIMSS20 Digital

Learn on-demand, earn credit, find products and solutions. Get Started >>

Because of this, more hospitals are demanding that devices include security requirements upfront, he said.

"We really see this becoming part of decision-making criteria," he said. "Sales are being made or lost based on security."

Case in point is a security researcher who in 2016 found vulnerabilities in St. Jude Medical pacemakers. A year later, the FDA and Homeland Security issued an alert for about 465,000 pacemakers from St. Jude, owned by Abbott, and a firmware update to close the security flaw of the radio frequency communication devices.

The company's stock value dropped.

"The most interesting thing, this was a great demonstration of how a company can suffer financially," Kijewski said.

Also in 2017, the FDA issued a recall of the St. Jude implantable cardioverter defibrillators and cardiac resynchronization therapy defibrillators due to premature battery depletion.

Lawsuits included one from Humana to recoup payments it made for the devices.

There have been a couple of cases of ransomware in which imaging equipment was the entry point, according to Kijewski. And then there the attack on a casino in which hackers got in by manipulating a fish tank thermometer.

"The biggest areas now of concern are medical devices," said Cheryl Martin, chief knowledge officer for the American Health Information Management Association. "The medical device industry is well aware, there is a good coordinated effort. Everything is just a small computer now."

The next target is just about anything that plugs in and is wireless, including smart fridges, printers, phones and, yes, Alexa, Siri and Google Assistant, all of the latter already under scrutiny for privacy concerns.

"With the IoT [internet of things], it's anybody's guess. Every something that comes on the market is in essence its own small computer with an ability to find its way into something," Martin said. "I guaranteed Alexa and Siri is on the horizon."


While there is no known case of a medical device being hacked to intentionally harm patients, HIPAA compliance mandates hospitals secure protected health information.

A hospital contains numerous connected devices, and interoperability demands the secure sharing of health information.

Breaches result in fines and other regulatory enforcement. This year has been a record breaker for the Office of Civil Rights of the Department of Health and Human Services HIPAA enforcement.

"Medical device security is a big, important problem," Kijewski said.


Medical device security became a much larger issue after October 2018 when the FDA issued guidelines on strengthening the agency's medical device program to protect patients, according to Kijewski.

Before then, MedCrypt did a lot of client education, Kijewski said. After that, sales climbed.

Even when medical devices are not being deliberately targeted, if these products are connected to a hospital network, such as radiologic imaging equipment, they may be impacted, former FDA Commissioner Scott Gottlieb said in the release.

In coordination with the MITRE Corporation, the FDA announced the launch of a cybersecurity "playbook" for healthcare delivery organizations promoting cybersecurity readiness. Gottlieb also announced two significant memoranda of understanding to bring together stakeholders to allow for increased information sharing and transparency around cybersecurity risks.

The agency issued premarket guidance that manufacturers should consider in the design and development of their medical device to ensure their product adequately addresses cybersecurity vulnerabilities. Its postmarket guidance outlined a risk-based framework for manufacturers to use to ensure they could quickly and adequately respond to new cybersecurity threats once a device is in use.

Twitter: @SusanJMorse
Email the writer:

Focus on Securing Healthcare

In August, Healthcare IT News, along with our sister sites, MobiHealthNews and Healthcare Finance, will focus on the many ways the industry is succeeding – and the places it's falling short – when it comes to the all-important task of enterprise-wide security.