Twitter LinkedIn Share this page Facebook RSS

Blogs

Drug / Device Law BlogLegal updates, news, and commentary from the attorneys of Baker Sterchi Cowden & Rice LLC

Effectively Addressing Cybersecurity Breaches in Medical Devices (Part 2 of 3)

January 11, 2017 | Megan Sterchi Lammert

The Inherent Risks, Impacts of Security Decisions, and Practical Approaches  – Cybersecurity and Attacks on Medical Devices

Continuing from our prior post in this three-part series on effectively addressing cybersecurity breaches in medical devices, this second post will focus on specific examples of cybersecurity attacks on medical devices.

Cybersecurity and attacks on medical devices

If you have turned on the television, read the news, or listened to the radio recently, you have heard that cybersecurity threats are something we all have to be concerned about. We hear about data breaches affecting the disclosure of personal financial information or breaches into the nation’s military weapons system. But in the context of medical devices, cybersecurity is the process of preventing a breach or unauthorized user from gaining access, modifying, misusing, or denying use to information that is stored, accessed, or transferred from a medical device to an external recipient.[i]

Unlike breaches into military systems, where we trust the government is initiating measures to safeguard the general public from threats and direct attacks, the threat to cybersecurity attacks in healthcare is very real, wide-spread, and right in our backyards. There have been numerous real and fictional examples of medical devices falling victim to a cybersecurity attack. A recent study revealed that ninety-four (94) percent of healthcare institutions reported being victims of cyber-attacks.[ii]

Below are some real-life examples of actual medical devices falling victim to a cybersecurity attack:

  • August 12, 2011: Hacking into an insulin pump. While the hacking was done as a presentation at a security conference, the presenter showed how to hack into his own insulin pump, albeit it required security expert knowledge and fairly close proximity to the pump. However, the presentation, even back in 2011, brought back to the limelight whether manufacturers of medical devices were taking the necessary security measures to protect its consumers/patients and the devices from an attack.[iii]
  • April 25, 2014: Article explores and/or exposes the vulnerabilities of hospital equipment and their high susceptibility to being hacked, including, but not limited to insulin pumps, defibrillators, and hardcoded passwords in medical devices, used at a large chain of Midwest health care facilities.[iv]
  • February 2015: Anthem, Inc. attacked by hackers who obtained data that may have exposed 80 million customers’ personal information. A lawsuit is pending in the Northern District of California, the consolidated complaint alleging that the hackers stole income tax refunds and placed false charges on their credit cards.[v]
  • June 1, 2015: Court dismisses claim arising out of a data security breach by Amazon.com (Zappos.com), because the victims lacked standing to sue when they could not identify any specific harm that they had sustained as a result of the a data breach that occurred 3.5 years prior.[vi]
  • July 31, 2015: FDA issues alert for healthcare facilities to discontinue the use of Hospira Symbiq Infusion System due to cybersecurity vulnerabilities. In other words, as the FDA’s statement set forth, the Hospira system could be accessed remotely through a hospital’s network, giving an unauthorized user access and control to the device and change the dosage of general infusion therapy the pump delivers.[vii]
  • June 2016: Hacker gains access to 397,000 patient records from the internal network of a large database in Georgia, 210,000 patient records from a database somewhere in the Midwest (retrieved from a ‘severely misconfigured network’), and 48,000 records located in Farmington, Missouri.”[viii] The hacker then put the information up for sale at around $485K. This is just one of many recent “ransomware” stories, which is a category of malicious software (“malware”) that encrypts a user’s disk drives and demands some form of compensation in return for critical data held hostage, which have occurred recently.[ix]

For best practices on how to prepare, mitigate, and otherwise manage vulnerabilities and potential cybersecurity attacks, stay tuned for part three of this series coming soon.  Read part one of this series on navigating the medical device field and vulnerabilities of medical devices here


[ii] Barbara Filkins, Health Care Cyberthreat Report: Widespread Compromises Detected, Compliance Nightmare On Horizon, SANS Institute, February 2014.

[vi] Id.

[vii] Id.

Subscribe
About Drug / Device Law Blog

The BSCR Drug / Device Law Blog examines topics and legal developments of interest to the drug and device industry. Learn more about the editor, Angela Higgins, and our Drug and Device practice.

DISCLAIMER

The Drug / Device Law Blog is made available by Baker Sterchi Cowden & Rice LLC for educational purposes only as well as to give you general information and a general understanding of the law, not to provide specific legal advice. Your use of this blog site alone creates no attorney client relationship between you and the firm.

CONFIDENTIAL INFORMATION

Do not include confidential information in comments or other feedback or messages related to the Drug / Device Law Blog, as these are neither confidential nor secure methods of communicating with attorneys. The Drug / Device Law Blog should not be used as a substitute for competent legal advice from a licensed professional attorney in your state.

 
×

For Important Legal Updates and Resources on the Coronavirus Click Here.