The U.S. Food and Drug Administration (FDA) issued a warning to patients and healthcare providers this week regarding Medtronic MiniMed insulin pumps, citing cybersecurity vulnerabilities which could allow someone other than the patient to access the pump and change its settings.
2,620 of Medtronic MiniMed 508 and MiniMed Paradigm pumps have been sold in Canada. Health Canada says there are no concerns with how the device functions, but they are vulnerable to attacks that could affect operations.
The agency says cyberattacks could affect the device’s settings which could result in an incorrect dose of insulin, but the agency is not aware of such incidents occurring.
According to experts, however, this is not an anomaly. Medical devices, including medical implants, are likely vulnerable to cybersecurity breaches due to an absence of clear quality assurance standards, as well as a lack of cybersecurity understanding among healthcare professionals.
“This is unfortunately quite common especially in the medical sector for two reasons,” explained Ali Dehghantanha, director of the Cyber Science lab with the University of Guelph’s School of Computer Science. “First there are no standards or testing required. Many companies like to just get to the market as soon as possible so they just keep doing basic security for the product.
“Secondly, there is a demand out there that obviously these products can make significant changes on the human life and the quality of the people. So doctors are willing to just prescribe them as soon as possible,” he continued.
WATCH: It’s ‘more important than ever’ for government to protect data: privacy commissioner
Dehghantanha added that because doctors and healthcare practitioners were not informed of the cybersecurity risks themselves, they’re likely to recommend these products to patients based on their potential to improve their patients’ quality of life.
A few days after the FDA released its findings, Health Canada followed up with new regulations requiring hospitals to report medical device incidents and also published the Pre-market Requirements for Medical Device Cybersecurity.
These regulations will come into effect in late 2019, and they aim to improve the process by which medical devices get on the market, strengthen procedures to follow up with patients after they’ve received a medical device and inform Canadians about the risks and benefits of these products.
According to Dehghantanha, some regulation does exist. The real problem, he explained, is the challenge of measuring whether these devices meet the requirements.
“When you put a standard in place you should put a measurement along with that.” he said. “If you look at most regulatory statements, they are not measurable. They are just statements of interest. In practice, they are not measurable. That is one of the biggest challenges we have in almost all security standards.”
While these risks may not be widely known to the public, security vulnerabilities in medical implants and other devices aren’t a new occurrence.
In 2017, the FDA recalled 465,000 pacemakers due to similar security vulnerabilities. Kapersky Labs predicted near the end of 2017 that attacks on medical equipment with the aim of extortion, malicious disruption or data theft, including attacks on medical implants, would rise in 2018.
WATCH: Government not stressing cybersecurity importance with MLAs
This seemed to come to pass, as medical device recalls had reached a record high in the first few months of 2018, according to Stericycle’s Recall Index, with software being the leading cause.
Last August, security researchers warned that they were able to hack Medtronic pacemakers, the same manufacturer of the Medtronic MiniMed, which could impact the electrical impulses of the device. Medtronic responded at the time that all medical devices come with some sort of risk, but that the chances of a successful cyber attack were low. In October 2018, Medtronic disabled its pacemaker programmer updates for 34,000 devices due to concerns that the system was vulnerable to cyber attacks.
In most cases, a cyber attacker who successfully breaches a medical implant has the ability to impact the function of the device, posing a direct risk to patient care.
“Medical devices are directly connected to a care delivery because they perform a certain diagnostic capability or they support a certain therapy. If a medical device gets infected…it does impact the hospital’s ability to deliver care,” said Axel Wirth, Healthcare Solutions Architect with Symantec.
WATCH: How to protect yourself from ransomware attacks
“Even though we haven’t seen that to date but there certainly could be a case where the medical device incident could potentially harm the patient,” he added.
He states that while these vulnerabilities pose risks, regulators are doing their due diligence to keep up with these challenges. In the future, however, healthcare practitioners, including doctors and nurses, will likely need to have some rudimentary knowledge of cybersecurity in order to properly inform their patients of any risks associated with medical devices.