While medical devices are often designed for decades of use in hospitals, the software needed to run them becomes outdated more quickly. This results in devices running vulnerable software on healthcare networks, which can expose patients to physical and cyber threats.

In response to the threats facing medical devices, the Federal Bureau of Investigation (FBI) has released recommendations for the healthcare sector to bolster the cybersecurity of medical devices.

Consequences of medical device cyberattacks

Cybersecurity threats to medical devices can initiate a range of adverse effects. "On the extreme side, you have the scenario where a medical device compromise could directly impact patient safety and potentially be life-threatening," said Ben Denkers, Chief Innovation Officer at CynergisTek. "What could an attacker do if they took control of an insulin pump or pacemaker?" 

While medical device takeovers have the potential to cause life-threatening consequences, many cyberattacks on medical devices lead to system downtime, rather than complete control of devices. "The most common consequence is healthcare organizations must deny service to the individual because the device no longer works or requires supporting infrastructure, which has also been compromised. Where time becomes a critical success factor in many medical emergencies, this can also have severe patient impacts," said Denkers.

FBI medical device cybersecurity recommendations

To prevent cyberattacks on medical devices, the FBI released a list of recommended security strategies and technologies for healthcare cybersecurity leaders to adopt, including:

1. Endpoint protection: Encrypt medical device data, use antivirus protection where able in medical devices, and monitor for cyber threats to the hospital network.
2. Identity and access management: Use complex passwords and limit the amount of users with accessibility to medical device credentials. If possible, change medical device passwords on a regular basis.
3. Asset management: Maintain an inventory of all medical devices and track their software lifecycle to replace devices when necessary.
4. Vulnerability management: Scan devices for vulnerabilities and work with medical device manufacturers to update software.
5. Employee cybersecurity awareness training: Training should target insider threat prevention and social engineering attack mitigation.

This FBI guidance aims to provide the foundation of a robust healthcare security program that reduces medical device cyber risk. "Reducing risk is not a static, one-time process," said Denkers. "Organizations need to have a program in place to identify ongoing risk and ensure safeguards are performing as designed. Doing so can allow organizations to have an upper hand when dealing with the ever-evolving threat landscape."

For more medical device security information, read the full FBI recommendations.