Security researchers dubbed 2015 “year zero” for cybersecurity threats to medical devices, and the Food and Drug Administration rang in 2016 with recommended guidelines for medical device manufacturers about how to address cybersecurity vulnerabilities. Many worry that vital data from medical devices can be held ransom by hackers.
Since 2009, data on more than 120 million people—or one-third of the entire US population— has been compromised, according to the Department of Health and Human Services.
A list of the biggest hacks and data breaches in the last two years includes those on companies like Target and Home Depot in 2014 and last year major government organizations like the IRS and the Office of Personal Management that keeps records on the 22 million current and former government employees. Data breaches in the medical world can come in the form of malware on medical devices, or of illegal collection of patients’ medical data.
Most hackers are after user data to sell on black markets on the Internet. Health care data is some of the most valuable data for hackers and is usually worth about 400% more on the black market than identification data like credit cards and passwords. When medical data about a patient is released, there is no way to undo the public knowledge and harm. Health care data also includes the permanent social security numbers of the patients, along with information about lifelong health problems. Hackers can use this data to buy and sell medical equipment, medical care, and drugs.
In 2014, the second-largest health insurance company in the country was hacked, and data breaches affected over 80 million people. A few months later hackers accessed data in the University of California, Los Angeles hospital network, affecting 4.5 million people.
Malware on medical devices can affect the functionality of the device. Pacemakers, heat monitors, and other vital medical devices can be (and have been) infected with malware and viruses that cause problems with the data flow or with collected data, making treatment and use of the device impossible. The worry for 2016 is that ransomware will attack medical devices. Ransomware is a type of malware that will take control of a device and keep it hostage until the victim pays a fee.
Data breaches are almost commonplace now for major companies. CNN Money has created a tool that shows you what information hackers have about you (click here to see the tool). But data breaches in the medical world have higher stakes and offer permanent and life-threatening information about victims.
The FDA guidelines offer a practice approach to cybersecurity for medical devices. There is no easy solution to cybersecurity threats in the medical world. Old devices will need to be updated to meet current threats, but even new devices will need regular updates as new security threats arise. To sufficiently tackle these growing threats, medical companies will need a coordinated plan of constant monitoring.
Patients should remain vigilant about data breaches at companies that affect them, and should ask about safety features and data protection policies for the medical devices they use and the companies that manage them.