Medical Devices and Cyber Security

The Internet of Medical Devices (IoMT) is growing rapidly, so rapidly that it is being touted as the future of healthcare.  The IoMT is an interconnected infrastructure of medical devices, software, monitoring devices, and data convergence systems. The IoMT offers a variety of benefits, from remote monitoring to live time data feeds, to easing pressures on under-resourced hospitals and public health budgets.  As technology pushes digital health in new directions, each new iteration brings both potential and challenges. 

A major concern for the healthcare sector is the vulnerability of interconnected devices to external threats, usually in the form of viruses, hack-attacks, or denial of services ransom ware.  The May 2017 ‘WannaCry’ worm attack hit the UK’s NHS particularly hard, disrupting over 40 NHS trusts. While not directed specifically at health providers, the WannaCry worm illustrated how quickly interconnected devices and computer systems can be paralysed by cyber-attack. The emergence of Shudan and Censys, search engines designed to map interconnected devices, underscores just how vulnerable medical devices can be.  Vulnerability can be either in a device used by a patient or in the infrastructure that supports it, especially for hospital based devices. 

A medical device that is Wi-Fi enabled is vulnerable to attack if there are no preventative measures included in the software that runs it and connects it back to a main data source. Unlike some breaches you read about in the news, an attack on an active medical device can be life threatening. Attackers can potentially (for instance) hack an insulin pump to administer a fatal dose. And because vulnerable medical devices connect to a huge array of sensors and monitors, this makes them entry points to larger hospital networks. The 2015 Medjack attacks, for example, placed ghost device access points onto a hospital’s network and waited until the portals were part of the wider network before holding the system hostage. Hospitals have an average of 10-15 devices attached to a patient’s bedside, any one of which is vulnerable without preventative measures in place.

Two reports released in 2017[i], and an FDA workshop[ii] on cyber security and healthcare all came to the conclusion, that while manufacturers and users of medical devices are aware of the potential of cyber threat, there is little consensus on how big the threat is or what can be done about it.  Over two thirds of medical device manufacturers and hospitals interviewed believed that a cyber-attack was ‘likely or very likely’ in the next 12 to 20 months.  However, less than half were using guidance from the FDA on cyber security for medical devices and even fewer, were testing existing devices for vulnerabilities.  Out dated operating software, which can no longer accept security patch updates, is a well-known window for entry by criminals’ intent on holding confidential or life critical data to ransom.

The FDA workshop, held in May 2017, described hospital systems as a ‘microcosm of cyber risk’. At any given moment, hospitals have tens of thousands of interconnected medical and monitoring devices on-line, and may have a further web of devices used for remote treatment of patients which connect back to the central hospital system.  Attendees at the workshop noted that a major source of concern is the ‘weakest link’, where a vulnerable or weaker component in a cyber-security system can imperil the entire system.

While the benefits of interconnection and sharing in the global medical devices ecosystem outweigh the risks, manufacturers, policy makers and technology experts are urging users to be more aware of cyber risks and to plan better for deterring, and managing them.


[i] Medical Device Security: An Industry under attack and unprepared to defend. Poneman Institute, May 2017. Security Evaluation of Implantable Cardiac Device Ecosystem Architecture and Implementation Interdependencies, WhiteScope, May 2017

[ii] Cyber security of Medical Devices, a Scientific Gap Analysis, FDA and National Association of Sciences workshop, May 2017.

The Compliance Navigator blog is issued for information only. It does not constitute an official or agreed position of BSI Standards Ltd or of the BSI Notified Body.  The views expressed are entirely those of the authors.