Striking a Balance: Medical Device Security and Innovation

Technological advances have revolutionized the healthcare industry. Electronic medical records (EMR), lifetime electronic health records (EHR) and diagnostic systems like MRI machines and other medical imaging devices, as well as wearable sensors and even robotic-assisted surgery systems, create an environment where patient data can be gathered, analyzed and shared among providers for improved health outcomes. However, along with exciting innovation and advances in networking and connectivity comes the potential for exploitation, which could cause great harm to patients, providers and medical device companies.^1,2

In this article, we explore the benefits and challenges of medical technology, and what it will take to build a highly-skilled workforce and robust medical device security that can take us into the future for a fully interconnected, healthier and safer world.

Medical Devices – Where We Are and Where We’re Going

The global market for medical devices, which was $451.2 billion in 2021, is projected to reach $730.3 billion by 2030. This includes more traditional diagnostic and monitoring systems used in healthcare settings, but increasingly encompasses home healthcare and high-tech devices, which saw tremendous growth during the COVID-19 pandemic.³

One medical device trend is the ongoing integration of artificial intelligence (AI), machine learning (ML) and the internet of things (IoT), which is the interconnection of devices for the purpose of sharing data with other systems.² In medicine, it is called IoMT, the internet of medical things, which connects medical devices (in hospitals, clinics and remotely from home) with software applications, health systems and healthcare services. This rising interest in IoMT comes out of all the connected sensors and other medical devices that can generate, collect, analyze and transmit a patient’s health data to healthcare providers, transmitted either to their internal servers or the cloud. This fast delivery system streamlines clinical workflow and leads to more accurate diagnoses, fewer errors, lower costs and better patient care.⁴

According to a report by Grand View Research, artificial intelligence (AI) and machine language (ML) in the healthcare market—found in patient management, diagnostics, medication and claims management, workflow management, medical device integration and cybersecurity—is expected to reach $120.2 billion by 2028, up from $10.4 billion in 2021.⁵ This creates an unprecedented opportunity for health informatics professionals who understand the new technology. But it also highlights the need for greater security measures.

The Urgency of Medical Device Security

Even before the global pandemic, 88% of providers were investing in remote monitoring technology.⁶ However, in the past few years, the growth of IoMT has exploded, with the need to share patient data quickly and remotely. Regulatory bodies, healthcare providers and device manufacturers must be especially vigilant to ensure that security measures are adequate to protect the enormous amount of sensitive data being wirelessly transmitted.²

The threat of a medical device cybersecurity breach is on two fronts. For product developers and manufacturers, there is the risk of exposing customer information. When the product is being used in a home or healthcare facility, connected products are vulnerable to cyber threats. Medical device manufacturers must ensure that their business partners understand and are proactive in cybersecurity measures to protect their interests as well as their customers and patients. It isn’t just good business to keep your devices safe from potential hackers. People’s lives depend on it.²

The U.S. Food and Drug Administration (FDA) maintains an expansive list of Cybersecurity resources, which includes medical device security news, cybersecurity alerts, and information for healthcare delivery organizations and medical device manufacturers on how to mitigate cybersecurity risks.⁷

The Challenge of Medical Device Security with Legacy Systems

It isn’t only the newer high-tech devices at risk of a security breach. Cybersecurity is an even greater challenge for older “legacy” medical devices still in use that were built long before the MedTech industry was incorporating security features into their product design. Some devices use insecure or outdated hardware, software, operating systems and protocols, leaving them wide open to an attack that can damage the company’s reputation as well as compromise patients’ safety. Cybersecurity experts point out that these older devices were never meant to be on a network. If the equipment is connected to the internet, it is at risk.⁸

Healthcare facilities with devices running outdated operating systems are a major risk. According to a survey by Forescout Research Labs, 0.4% of devices were running obsolete and unsupported operating systems.⁹ While this number is small, these were often critical devices, such as ventilators and insulin pumps, and some of these devices can’t be updated. ⁸

These threats aren’t just hypothetical. In 2019, the FDA issued a warning titled “URGENT/11,” regarding cybersecurity vulnerabilities in popular third-party software used in medical devices. The alert was so named due to 11 vulnerabilities that could allow any individual to remotely access a medical device and execute code to alter its function, cause information leaks or initiate a denial of service attack, preventing its proper function.^10,11

The FDA’s safety communications list a steady stream of security breaches affecting a wide variety of medical devices, including infusion pump systems, implantable cardiac devices, home health monitors, patient monitoring systems, insulin pumps and communication software.⁷ Additionally, hospitals are being increasingly targeted in ransomware attacks using medical devices, putting patients’ lives at risk.¹²

Efforts to Improve Medical Device Security

In 2017, a congressional task force issued their Report on Improving Cybersecurity in the Healthcare Industry, declaring that “healthcare cybersecurity is in critical condition." ^13,14 This led to the FDA’s Medical Device Safety Action Plan in 2018.¹⁵

Although the FDA is now tasked with providing guidance and overseeing cybersecurity issues in healthcare, as it stands now, the burden is still on healthcare organizations, device manufacturers and other stakeholders to respond to flaws in the systems as soon as they’re discovered. The key to success, according to Health IT Security, is collaboration and shared responsibility.¹⁶

This critical need to overhaul medical device security means that the industry will need a steady influx of highly skilled professionals who have the necessary expertise in the latest healthcare technology and cybersecurity.

Be at the Forefront of Health Informatics

Kent State University’s online Master of Science in Health Informatics will prepare you to become a leader in this rapidly-growing field. You will be given the theory and real-world experiences you need to find solutions for today’s challenges in areas such as public health, biomedical science and patient care—and you will have the skills that are in such high demand, to innovate while protecting the public’s health, safety and well-being.

Our online program is designed for busy professionals, whether you’re already in the health informatics field and wish to advance your career, or want to explore this exciting industry. We offer a practitioner faculty that combines theory with practice within a comprehensive curriculum, with the opportunity for internships and networking with health informatics experts.

Learn more about what this field has to offer by reading the Kent State University Health Informatics Blog.