In cooperation with the ECRI Institute, AAMI (Association for the Advancement of Medical Instrumentation) just published their 2014 report on "Executive Insights on Healthcare Technology Safety”. Cybersecurity of Medical Devices came in as one of the top five identified technology risks! The full report can be found here: http://www.aami.org/aami-ecri/Tech%20Trends%202014.pdf
Specifically, the report advises healthcare delivery organizations and manufacturers to take cybersecurity seriously as they are building their integrated networks of medical devices by, for example, performing security assessments. Further, they need to realize that “doing this the right way requires huge amounts of resources to test and secure the networks and devices before deployment”.
The report states that the security failures in healthcare are mistakes of a long gone era in other verticals, concluding that executives should follow security best practices from other industries as well as understand the risks and consequences if they do not adopt those best practices.
Healthcare delivery organizations are urged to put the right priority on device / network security. They need to ask to what depth networks and devices are tested and secured before deployment and where device cybersecurity fits in with their overall risk / cost / benefit analysis.
From other reports and publications we know that medical devices can be hacked into, as demonstrated by security researchers for pacemakers (Kevin Fu - http://www.secure-medicine.org/public/publications/icd-study.pdf) and insulin pumps (Jerome Radcliffe - http://venturebeat.com/2011/08/04/excuse-me-while-i-turn-off-your-insulin-pump/).
The FDA has stated that, although there have been no documented cases of patient harm due to medical device cybersecurity incidents, they are taking the risks seriously, as published in their June 2013 guidance. And there have been plenty of anecdotal reports of malware outbreaks and security incidents on medical devices leading to operational impact, delays in patient care, and revenue implications.
The warning jointly issued by ECRI and AAMI, two recognized thoughtleaders in the field of medical device safety, is timely and should be taken seriously by all stakeholders.