Medical devices such as insulin pumps are at increased risk of cybersecurity breaches, which puts millions of patients at risk of significant harm, warns the Information Security and Privacy Advisory Board (ISPAB).
The Board, in a letter to the Office of Management and Budget, HHS and others, expressed concern that despite the rise of software-controlled medical devices, no one agency has the primary responsibility to ensure their cybersecurity, and there's an economic disincentive for providers to report incidents, since they may be seen as liable.
"Software-controlled medical devices are increasingly available through and exposed to cybersecurity risks on the internet; examples range from desktop computers controlling radiological imaging to custom embedded software found in pacemakers. With increasing connectivity comes greater functionality and manageability, but also increased risks of both unintentional interference and malicious tampering via these communication channels," the letter said.
The Board, which is a part of the National Institute of Standards and Technology (NIST), is tasked with identifying emerging issues regarding the security and privacy of information. It recommended that one federal agency, such as the Food and Drug Administration (FDA) should take primary responsibility for this issue. The Board suggested that the FDA take into account medical device cybersecurity when approving and monitoring medical devices. The FDA should also collaborate with NIST to better secure devices, provide training, and create a mechanism for reporting incidents.
Although the cybersecurity of devices such as smartphones and laptops has received considerable publicity, a breach of that kind of device, while problematic, doesn't run the same risk of patient harm. The Veteran's Administration has reported 173 medical devices infected with malware from 2009-2011, which shut down sleep labs and disrupted glucose monitors and caused the VA to make changes, such as isolating networks, to address the issue.
A non-profit consortium has also been created to coordinate efforts to improve medical device security.
HIMSS: Hospitals must be more 'proactive' about data breach prevention
Health privacy issues can be resolved without obstructing care
Spending on security of health data breaches to hit $70B by 2015
Rodriguez: HIPAA enforcement to increase
Cost of data breaches drops in U.S., but not for healthcare
EHRs a major cause of patient info breaches