News & Insights

Cyber Series Part 2: Medical Devices

October 20, 2021

By Jessica C. Engler, JD, CIPP/US, Partner, Kean Miller and Joseph T. D. Tran, JD, CIPP/US, LAMMICO


Cyber Series Part 2: Medical Devices
SHARE :           

For “Cyber Series Part 1: Elementary Ransomware” click here.

Medical devices. Noun. Instruments and implements that (i) are intended to be used for the diagnosis, cure, mitigation, treatment, or prevention of a disease, (ii) affect the structure or any function of the body, or (iii) are not dependent upon being metabolized to achieve these purposes.

A 72-year-old man suddenly feels weak and passes out on his kitchen floor. As his wife rushes to him, she sees a message flashing on his phone that reads, “Want to keep living? Pay the ransom now. You have two minutes.” She calls 911 for an ambulance and panics, trying to figure out how to stop the timer. The ambulance comes minutes later, but the man dies on his way to the hospital due to acute cardiac failure from the interruption of his pacemaker. It turns out the hacker was able to exploit a bug in an outdated version of the pacemaker application to turn off the pacemaker and push a message to the man’s phone.

This is a vicious example of exploiting human life for gain, but cyber experts agree this could happen, soon. Medical devices, like other computing devices, continue to become more advanced, and the Software as a Medical Device (SaMD) industry is booming. But like any other computing device connected to the internet or internal network, SaMD devices are vulnerable to cybersecurity threats and attacks. Healthcare providers and hospitals are frequent targets of cybersecurity incidents due to the importance of the information they hold and the necessity of perpetual and immediate access to that information.

While no deaths have been confirmed to be directly caused by a SaMD cyber event, at least one plaintiff sued a hospital for the death of her child, who suffered brain injury and died months later as a result of a cyberattack on the hospital. The hospital had been experiencing a more than week-long ransomware attack that prevented it from running tests or accessing patient files. The plaintiff claims the hospital did not inform her of the ransomware attack, which inhibited the hospital from running appropriate tests that the plaintiff alleges could have ultimately saved her child.  

In addition to medical equipment in a hospital, many patients use unprotected or outdated medical devices like pacemakers and insulin pumps that cyber criminals can exploit. Five models of insulin pumps manufactured by Hospira2 – a firm with 400,000 intravenous pumps installed globally – were so vulnerable that the FDA warned that a hacker could covertly change the dosage of drugs administered to a patient to lethal levels. IBM has also identified vulnerabilities that continue to make insulin pumps targets for hackers. Similarly at risk are MRI scanners, X-ray machines, heart rate monitors, blood pressure monitors, respiration monitors, glucose sensors, brain liquid pressure sensors, endoscope capsules and cardiac arrhythmia monitors/recorders.

The U.S. Food and Drug Administration (FDA) regulates medical devices from their initial design to sale, as well as some aspects of the relationships between manufacturers and medical devices after sale. However, it does not regulate the use of devices or their users, including how they link to or are configured within networks. Medical devices are typically designed to be networked at their points of use, but their flexibility and scalability fosters remote access to medical information technology networks. Storage capacity, fast computing, easy use and portability make mobility attractive.

Legacy medical devices manufactured prior to passage of the Medical Device Regulation Act 1976  – the law that regulates the safety, classification and use of medical devices –  are also still used today. Some of those medical devices are (from a software perspective) obsolete, making them near impossible to upgrade with new, secure design features. Other older devices also are so interconnected with an individual that replacement with newer models is dangerous, or the individual is not stable enough to undergo extensive surgery. Yet even newer devices are not entirely secure, as newer, custom features that make a device more robust and easier to use can also cause more third-party code development creating vulnerabilities. Because medical devices may contain sensitive or personal information, system owners may be reluctant to allow manufacturers access for upgrades or updates. Failure to install updates and patches also increases the risk of hacking. Because cybersecurity is largely reactionary, staying vigilant for new threats is an unchanging responsibility.

Risk Mitigation Considerations

Medical devices offer new pathways to ensure patient health, but the challenge for healthcare providers and hospitals is to ensure patient safety while effectively using the medical device. Whether these devices are used by patients or whether they are connected to a facility’s network, consider the following risk mitigation strategies:

  • Work with your practice, hospital or facility to understand how medical device vulnerabilities are being addressed and how healthcare providers are involved
  • Evaluate the security of your network and assess for vulnerabilities
  • Install antivirus software and keep it and all devices within your practice or facility updated
  • Educate your patients on how they can keep their devices updated
  • Use federal and state resources, such has HHS’s HC3 program and stopransomware.gov to develop your cybersecurity programs
  • Identify at least one person or entity that is responsible for reviewing and updating all software and firewalls and uploading security patches
  • Restrict unauthorized access to the network and networked medical devices, especially from those employees who are terminated or move to another department or role within your practice
  • Contact the specific device manufacturer if you think you may have a cybersecurity problem related to a medical device. If you are unable to determine the manufacturer or cannot contact the manufacturer, the FDA and DHS ICS-CERT may be able to assist in vulnerability reporting and resolution.
  • Stay current on security issues related to heart devices, especially those that you use or recommend to your patients. Determining under what circumstances warrant that patients be notified of an attack before the attack occurs is crucial. In some instances, like a ransomware incident, immediately notifying patients may not be warranted until the damage is assessed and the authorities are informed. Providers can remind patients of cybersecurity best practices, especially if their devices or software require updates.
  • If a device you use in patient care is capable of being connected to the internet, evaluate whether such connection is necessary for patient care. If it is not, then do not enable network connections.

Cyber Liability Coverage and Additional Resources 

LAMMICO includes $10,000 of MEDEFENSE® Plus/Cyber Liability coverage in most provider policies at no additional charge to the insured. We also offer the option to purchase higher limits of protection through our subsidiary agency, Elatas Risk Partners, subject to underwriting which will include questions that hone in on two factor authentication and backup processes and procedures. Please contact Carly Thames, Elatas Account Executive, at cthames@lammico.com or 225.906.2062 for information on purchasing higher limits of Cyber Liability insurance.

In partnership with our cyber risk experts, Tokio Marine HCC – Cyber & Professional Lines Group, LAMMICO offers our insureds complimentary access to TMHCC CyberNET®, the most advanced cyber risk management solutions inclusive of incident response plans, compliance and training materials as well as information addressing latest trends in data breaches and cybercrime, including those concerns surrounding COVID-19.

Registered lammico.com Members are encouraged to log in and access the CyberNET® portal.

For more information about minimizing cybersecurity threats, please contact the LAMMICO Risk Management and Patient Safety Department at 504.841.5211 or access the following additional resources:

Cyber Series Part 1: Elementary Ransomware
Health Sector Cybersecurity Coordination Center
HHS Cybersecurity Program
FDA Fact Sheet: The FDA’s Role in Medical Device Cybersecurity
FDA Digital Health Center of Excellence: Cybersecurity
Exposing vulnerabilities: How hackers could target your medical devices


Annual Reports:

Receive Regular Updates: