Medical Device Cybersecurity: A Progress ReportResearcher Ben Ransford on What's Changed in Last 10 Years; What's Left to Be Done
How much progress has the healthcare sector made in the last decade addressing medical device cybersecurity issues? And what action is still needed?
"Over the last 10 years, a whole lot of action has occurred in this space, and I think a lot of progress has been made. And the area has expanded from just the small set of researchers that started looking at these problems 10 years ago," says Ben Ransford, CEO and co-founder of healthcare cybersecurity firm Virta Labs, in an interview with Information Security Media Group.
Ransford was a part of a nine-member team of researchers from the University of Massachusetts Amherst, University of Washington, and Beth Israel Deaconess Medical Center in Boston who collaborated in a groundbreaking 2008 study that for the first time identified certain cybersecurity risks involving wireless, implantable cardiac devices.
Since then, dozens of other researchers and "white hat" hackers have identified similar problems in other cardiac devices - such as implantable pacemakers - as well as a variety of other medical devices.
Room for Improvement
In terms of the healthcare ecosystem, much of the progress over the last decade has been made by regulators, especially the Food and Drug Administration, which has been issuing industry guidance to help address cybersecurity risks in the lifecycle of medical devices, Ransford notes.
Medical device makers are also becoming more proactive about the cybersecurity of their products. "It's really been a sea change in how they approach security," he says.
Healthcare organizations that use vulnerable devices, however, have made the least progress least, he contends.
"The exact devices that were in hospitals 10 years ago are probably still in operation today. Providers are probably the ones struggling the most in making progress."
In the interview (see audio link below photo), Ransford also discusses:
- Key findings from the 2008 research study, what's still relevant now, and where medical device cybersecurity is heading;
- The prospect of large-scale cyberattacks targeting medical devices and the potential impact on patient safety;
- Advice for how healthcare providers can improve their medical device cybersecurity practices.
Ransford, Ph.D., is co-founder and CEO of Virta Labs, a company that helps healthcare providers integrate cybersecurity into clinical workflows. As a core member of the interdisciplinary team that brought medical device security into the limelight in 2008, he has spent a decade supporting patients, healthcare providers, and manufacturers as they grapple with the realities of connected healthcare.