Worrying about medical device cybercrimes

You’ve seen the headlines: “Cybercriminals hit again,” “Hackers attack.” Data breaches occur all the time. It’s happening at Big Box stores such as Home Depot and Target, and it’s leaving consumers worried about identity theft, fraudulent charges, and damaged credit reports.

However, you might not know the black market value for some of the items the hackers acquire. According to Experian, the black market for personal data is at a record high, with 110 million pieces of data thought to have been bought or sold through this year, a 40% rise on the amount traded in 2013.

Take a cybercriminal gaining the three-digit CVV code on the back of your credit card – that is worth $2. Hacking into a PayPal or eBay account earns a cybercriminal $27 per account. Between these comes market-flooded credit card theft, which is what occurs after a massive data breach such as the ones at the Big Box stores – this pulls in $10 per card. If you’re curious, additional data on cybercrimes is available at Information Is Beautiful’s website: http://bit.ly/1wQqs1h.

So, we worry about our financial security being stolen from something as simple as shopping, but have you stopped to think about medical device cybersecurity? The U.S. Food and Drug Administration (FDA) is, and so is the U.S. Department of Homeland Security (DHS). In fact, the DHS and FDA held a workshop recently to discuss how best to promote medical device cybersecurity. Presently, the DHS is investigating at least two dozen cases of possible cybersecurity flaws in medical devices – items ranging from artificial heart implants to hospital infusion pumps.

Jason Lay, manager of cyberthreat information at the U.S. Department of Health and Human Services, laid the situation out in bleak terms during the FDA workshop, stating that any web-enabled medical device can potentially become an assassination attempt – for example a computer remotely tampering with a cardiac implant device.

Addressing the concern, White House Cybersecurity Coordinator Michael Daniel suggested that medical device makers should go “... back to some of the root design of just making cybersecurity one of the design features included in any [medical] device or product, the same way we have incorporated electrical security into all of our appliances.”

Easier said than done.

Not only do medical device designers need to make sure they are specifying the right components for a product, they now have to work to include cybersecurity measures. In addition, the Obama administration is urging the health care sector to adapt the National Institute of Standards and Technology’s (NIST) cybersecurity framework, so NIST and the FDA are spearheading this effort through industry roundtable discussions and workshops. However, after the first workshop, attendees pointed out that many obstacles still exist, ranging from legal worries to insufficient resources.

Obvious to me is the lack of communication among competing medical device OEMs, since competitors are not eager to share that type of information. Until a common forum to discuss these issues is agreed upon, how will medical device design engineers know which path to take? A completely new black market will soon arise if concerns aren’t addressed correctly.

What steps has your company taken to address cybersecurity threats in devices? Drop me a line at emodic@gie.net and let me know.

– Elizabeth