New research shows patients harmed by medical device breaches

As many as 1,000 patients suffered harm from cybersecurity attacks on healthcare delivery organizations involving ransomware, malware or an attack on an EHR system, according to a new survey of executives of device manufacturers and provider organizations.

One respondent from a medical device manufacturer said they were aware of an adverse event that occurred due to an existing security vulnerability in a medical device, but did not indicate how many patients were involved. 

The survey, conducted by researchers at the University of California San Diego, is scheduled for publication in an academic journal. The results were announced by Christian Dameff, M.D., an emergency physician and clinical informatics researcher at UCSD at the HIMSS Healthcare Security Forum this week. The survey was conducted anonymously since cybersecurity vulnerabilities are a difficult area to study "despite such surveys being prone to bias," Dameff told FierceHealthcare.

Of the 40 executives from some of the largest medical device vendors and provider organizations, two from healthcare delivery organizations said 100-1,000 patients were harmed during an unreported adverse event associated with a medical device cybersecurity vulnerability.

Twenty percent of survey respondents did not implement new policies based on the Food and Drug Administration’s pre and postmarket cybersecurity guidance, which includes regulations for meeting mandatory quality system regulations. The same percentage said they don’t plan to implement any new policies. 

Eight in 10 respondents said cybersecurity risks outpace the media's perception.

RELATED: House committee to examine cybersecurity risks of legacy technology in healthcare

Medical device cybersecurity is a growing concern among industry groups and lawmakers. But there have been no reported instances of patient harm tied to an attack, in part because it is difficult to make a direct association.

In April, the House Energy and Commerce Committee launched a deeper dive into cybersecurity risks associated with legacy medical devices. This week, AdvaMed issued a response in a letter (PDF) to the committee emphasizing the importance of patient safety “in a world where technology constantly evolves.”

But the organization also said the shelf life of underlying technology is just 3-4 years, making it difficult to support updates or patches beyond that time frame.

RELATED: Hacker group Orangeworm attacks long-standing vulnerabilities in healthcare imaging devices

“Once a technology is depreciated (e.g., 32-bit processors, encryption algorithms, total system storage and memory, and other hardware limitations), updates are either no longer available or not possible,” the organization wrote. “Manufacturers and health care delivery organizations typically implement defense-in-depth controls to mitigate risks presented by legacy technologies; however, these technologies simply cannot be supported in perpetuity.”

The group also pointed to the high costs associated with fixing a single vulnerability and argued that requiring manufacturers to support legacy technology would impact their ability to innovate.

“As FDA and others have stated, risk management of potential cybersecurity threats is a ‘shared responsibility’ among all stakeholders—manufacturers, hospitals, healthcare professionals, patients, regulators, IT developers, etc.—and we look forward to working with all stakeholders on ways to address potential threats in this area,” AdvaMed spokesperson Mark Brager said in a statement.

Device recalls reached record highs over the first three months of 2018, with software as the biggest driver. Last year, a Department of Health and Human Services Cybersecurity Task Force issued a report highlighting significant vulnerabilities across the healthcare industry. The taskforce specifically called out legacy devices as a weak spot and recommended HHS adopt a “Cash for Clunkers” program for providers to trade in old devices.

Editors Note: Following the publication of this article, lead author Christian Dameff, M.D clarified that based on the survey, the 1,000 patients reportedly harmed by a data breach occurred in healthcare delivery organizations and did not involve medical devices. Dameff emphasized the results were anonymous and respondents were self-reporting information.