As medical practices continue to rely on telemedicine and telework programs to maintain social distancing and infection control amid the COVID-19 pandemic, medical device cybersecurity has never been more important.
During a crisis, criminals may see an opportunity, says Greg Garcia, executive director of cybersecurity for the Healthcare Sector Coordinating Council, a coalition of industry associations that aims to address security and resiliency issues. “There are hackers and scammers who are exploiting the public’s fear and hope about COVID- 19,” he says, citing the example of “phishing emails directing users to fake websites corrupted with malware that can steal personal information.”
Even before the pandemic, medical device cybersecurity was a concern for the U.S. FDA. The agency regularly issues warnings about potential cybersecurity vulnerabilities that may affect medical devices. For example, in March 2020, the agency warned about potential problems associated with Bluetooth Low Energy technology that is used to “pair” and exchange information between devices.
“Devices are becoming increasingly connected, which makes the devices more vulnerable to cybersecurity threats than nonconnected devices,” says Jessica Wilkerson, cyber policy advisor at the FDA’s Center for Devices and Radiological Health.
Medical device manufacturers must comply with quality system regulations that require them to address cybersecurity risk, Wilkerson says, but those delivering care also play a critical role in keeping medical devices safe from cyber threats.
Here are some steps that office-based clinicians can take to protect their patients and their businesses.
Assign responsibility for security measures. Practices of all sizes should designate a person or team leader to track vendor security alerts, install patches and updates, and ensure all staff know they should not share passwords or click on links in unfamiliar emails.
Read the documentation. The Manufacturer Disclosure Statement for Medical Device Security (MDS2) that is included with a device should explain what data are stored on the device, how they are used and transmitted, and what security features (if any) are built into the device. This information should also be listed on the manufacturer’s website.
Stay informed and share information about current threats, risks, and best practices. Several organizations, such as the Healthcare Sector Coordinating Council and the Health Information Sharing and Analysis Center, publish resources for health care organizations. In addition, the FDA maintains a cybersecurity page with information about risks and current threats, and practices can subscribe to receive updates by email. The FDA encourages providers, patients, and caregivers to report cybersecurity issues with medical devices through the MedWatch Online Voluntary Reporting Form (www.accessdata.fda.gov/scripts/medwatch).