Medical Device Cybersecurity Challenges and How to Counter Them

Cybersecurity Challenges

As cyber threats to the healthcare sector continue to ramp up in frequency and severity in the U.S. and globally, they increase the risk of rendering medical devices inoperable and disrupting patient care. In a worst-case scenario, ransomware attacks on medical devices can put protected health information at risk or even threaten lives. In this environment, healthcare cybersecurity experts report the need for improved standards and better efforts by hospitals and manufacturers to share responsibility for medical device security.

One of the challenges healthcare organizations face is defending older legacy medical devices – which often were not built with security in mind—against the growing threats of hacker attacks, according to a recent MedTech Dive article. Hospitals contend that as the end users, they bear a heavier burden for securing medical devices than medical device manufacturers do, and the American Hospital Association wants to see the Food and Drug Administration (FDA) mandate lifetime support of medical devices by manufacturers.

MedTech Dive also says the FDA has warned that unpatched medical devices “will become increasingly vulnerable to cyberattacks over time and has called for more communication from OEMs when they can no longer support software upgrades and patches needed to address their devices’ cybersecurity risks.” 

Mitigating Risk Throughout the Product Life Cycle 

According to the FDA, the need for effective cybersecurity to ensure medical device functionality and safety has become more important with the increasing use of wireless, internet- and network-connected devices; portable media like USB drives; and the frequent electronic exchange of medical device-related health information.

The agency in April released draft guidance titled “Cybersecurity in Medical Devices: Quality System Considerations and Content of Premarket Submissions,” which is intended to provide recommendations to agency staff and the industry regarding cybersecurity device design, labeling, and the documentation that the FDA recommends be included in premarket submissions for devices with cybersecurity risk.

This new draft guidance replaces an earlier 2018 draft version and is intended to further emphasize the importance of ensuring that devices are designed securely, enabling emerging cybersecurity risks to be mitigated throughout the total product life cycle, and to outline more clearly the FDA’s recommendations for premarket submission content to address cybersecurity concerns. The draft was shared for public comment between April 8 and July 7 as Docket Number FDA-2021-D-1158-0001 on the Regulations.gov website, but as of this writing, it is not yet considered final or ready for implementation.

When securing medical devices, some of the primary challenges IT departments face include non-secure device designs, standardized configurations, patching restrictions, and insider threats, according to cybersecurity solutions provider Cybeats. They recommend the following four best practices to help healthcare organizations improve the security of their medical devices:

  • Endpoint protection – Securing not only the medical device but also the endpoints they connect to, such as workstations
  • Access management – Binding device authentication to the corporate authentication system
  • Asset management – Maintaining a reliable inventory of medical devices and software components
  • Vulnerability management – Conducting a vulnerability assessment of the software deployed on medical devices and reviewing vulnerability disclosures provided by vendors

For more medical device security guidance, visit:

Read Related Dynamic Technology Solutions Content:

Supply Chain Cybersecurity: The Ukrainian War Increases Your Company’s Risk

Supply Chain Cybersecurity: The Ukrainian War Increases Your Company’s Risk

Supply Chain Cybersecurity: The Ukrainian War Increases Your Company’s Risk

The war in Ukraine has brought the issue of cybersecurity into the mainstream of public opinion, with increasing media coverage of actual and potential Russian cyberattacks on businesses and infrastructure—often, far from the fighting.

These threats are very real, but for many companies they are not entirely new. Supply chain cyberattack risks, in particular, have been growing for some time, especially for companies in life sciences and other industries with sophisticated supply chains. And they can come from states like Russia, or from criminals.

A sampling of recent articles sheds light on the threats. The digital technologies that have made supply chains more efficient and responsive also make them vulnerable to bad actors. “The level of automation in the pharmaceutical industry makes it a prime environment for attacks. These environments are complex, and they haven’t been built to defend against nation-state attacks,” one security expert recently told the Biospace news site. The growing connection of operational technology to the network is also a factor, because it means bad actors can not only steal or damage data, they can also disrupt production and operations.

The variety of partners typically involved also makes the supply chain an attractive target. That’s because it increases the number of potential entry points, and it also means that a single attack can quickly move through the network to affect numerous partners.

Recent events have made this even more of a problem, as COVID and Ukraine have disrupted supply chains and forced companies to quickly turn to new, and often unknown, suppliers. As one security expert recently told Supply Chain magazine, this is a problem for medical devices manufacturers, “because on-time production and delivery can be a question of life or death. Supply chain is already the weakest link in any organization, even at the best of times. But for complex medical devices, where there is a multi-layered supply chain of hardware and software? For them, changing suppliers, or adding to them, significantly increases the exposure to risk.”

In short, cybersecurity will be a key supply chain concern for years to come. As a recent Forbes article noted, “Cybercriminals will continue to capitalize on the world’s heavy reliance on supply chains, infiltrating entire chains and not just individual companies…. More than ever, cybersecurity vulnerabilities are showcasing how interconnected we all are—as well as the fragility of many of these connections.” As a result, the article explained, supply chain cybersecurity should be a board-level issue.

Staying on top of the threat will require a multipronged defense.

Companies need to continue to harden their information and operational technology landscapes, through everything from zero trust security and education to combat social engineering, to security assessments, improved vetting of suppliers, and the comprehensive inventory of supply-chain assets. At the same time, they should prepare for the real likelihood that there may be a cyberattack on their supply chain and build the resilience to get back up and running quickly in the event of a problem.