New research shows patients harmed by medical device breaches

New research ties unreported patient harm to medical device breaches. (Getty/Ridofranz)

As many as 1,000 patients suffered harm from cybersecurity attacks on healthcare delivery organizations involving ransomware, malware or an attack on an EHR system, according to a new survey of executives of device manufacturers and provider organizations.

One respondent from a medical device manufacturer said they were aware of an adverse event that occurred due to an existing security vulnerability in a medical device, but did not indicate how many patients were involved. 

The survey, conducted by researchers at the University of California San Diego, is scheduled for publication in an academic journal. The results were announced by Christian Dameff, M.D., an emergency physician and clinical informatics researcher at UCSD at the HIMSS Healthcare Security Forum this week. The survey was conducted anonymously since cybersecurity vulnerabilities are a difficult area to study "despite such surveys being prone to bias," Dameff told FierceHealthcare.

Conference

2019 Drug Pricing and Reimbursement Stakeholder Summit

Given federal and state pricing requirements arising, press releases from industry leading pharma companies, and the new Drug Transparency Act, it is important to stay ahead of news headlines and anticipated requirements in order to hit company profit targets, maintain value to patients and promote strong, multi-beneficial relationships with manufacturers, providers, payers, and all other stakeholders within the pricing landscape. This conference will provide a platform to encourage a dialogue among such stakeholders in the pricing and reimbursement space so that they can receive a current state of the union regarding regulatory changes while providing actionable insights in anticipation of the future.

Of the 40 executives from some of the largest medical device vendors and provider organizations, two from healthcare delivery organizations said 100-1,000 patients were harmed during an unreported adverse event associated with a medical device cybersecurity vulnerability.

Twenty percent of survey respondents did not implement new policies based on the Food and Drug Administration’s pre and postmarket cybersecurity guidance, which includes regulations for meeting mandatory quality system regulations. The same percentage said they don’t plan to implement any new policies. 

Eight in 10 respondents said cybersecurity risks outpace the media's perception.

RELATED: House committee to examine cybersecurity risks of legacy technology in healthcare

Medical device cybersecurity is a growing concern among industry groups and lawmakers. But there have been no reported instances of patient harm tied to an attack, in part because it is difficult to make a direct association.

In April, the House Energy and Commerce Committee launched a deeper dive into cybersecurity risks associated with legacy medical devices. This week, AdvaMed issued a response in a letter (PDF) to the committee emphasizing the importance of patient safety “in a world where technology constantly evolves.”

But the organization also said the shelf life of underlying technology is just 3-4 years, making it difficult to support updates or patches beyond that time frame.

RELATED: Hacker group Orangeworm attacks long-standing vulnerabilities in healthcare imaging devices

“Once a technology is depreciated (e.g., 32-bit processors, encryption algorithms, total system storage and memory, and other hardware limitations), updates are either no longer available or not possible,” the organization wrote. “Manufacturers and health care delivery organizations typically implement defense-in-depth controls to mitigate risks presented by legacy technologies; however, these technologies simply cannot be supported in perpetuity.”

The group also pointed to the high costs associated with fixing a single vulnerability and argued that requiring manufacturers to support legacy technology would impact their ability to innovate.

“As FDA and others have stated, risk management of potential cybersecurity threats is a ‘shared responsibility’ among all stakeholders—manufacturers, hospitals, healthcare professionals, patients, regulators, IT developers, etc.—and we look forward to working with all stakeholders on ways to address potential threats in this area,” AdvaMed spokesperson Mark Brager said in a statement.

Device recalls reached record highs over the first three months of 2018, with software as the biggest driver. Last year, a Department of Health and Human Services Cybersecurity Task Force issued a report highlighting significant vulnerabilities across the healthcare industry. The taskforce specifically called out legacy devices as a weak spot and recommended HHS adopt a “Cash for Clunkers” program for providers to trade in old devices.

Editors Note: Following the publication of this article, lead author Christian Dameff, M.D clarified that based on the survey, the 1,000 patients reportedly harmed by a data breach occurred in healthcare delivery organizations and did not involve medical devices. Dameff emphasized the results were anonymous and respondents were self-reporting information.

Suggested Articles

We need our federal programs and policies to reflect the goal of improving the health of both women and men.

Two lawsuits were filed suing the Trump administration to overturn a new rule that would allow healthcare workers to deny care over religious or conscience…

Policy changes are affecting how investors view the skilled home health market and paving the way for potential strategic acquisitions.