• Skip to main content
  • Skip to secondary menu
  • Skip to primary sidebar
  • Skip to secondary sidebar
  • Skip to footer

  • Opinion
  • Health IT
    • Behavioral Health
    • Care Coordination
    • EMR/EHR
    • Interoperability
    • Patient Engagement
    • Population Health Management
    • Revenue Cycle Management
    • Social Determinants of Health
  • Digital Health
    • AI
    • Blockchain
    • Precision Medicine
    • Telehealth
    • Wearables
  • Startups
  • M&A
  • Value-based Care
    • Accountable Care (ACOs)
    • Medicare Advantage
  • Life Sciences
  • Research

Uncovering the Hidden Cybersecurity Risk: Implanted Medical Devices

by Andrew Speir, Vice President of Advanced Cyber Solutions and Commercial Services at Core4ce 12/03/2024 Leave a Comment

  • LinkedIn
  • Twitter
  • Facebook
  • Email
  • Print
Uncovering the Hidden Cybersecurity Risk: Implanted Medical Devices
Andrew Spier, Vice President of Advanced Cyber Solutions and Commercial Services at Core4ce

Recent and high-profile cyber, ransomware and supply chain attacks on Kaiser Permanente, Ascension, and Change Healthcare have shown how the healthcare industry remains the number one target, and that no organization is immune. Last year, there were 249 healthcare related ransomware attacks reported to the FBI Crime Center alone, not counting those that slipped under the radar, and far more than any other critical infrastructure sector. 

In the wake of these ongoing attacks, most healthcare providers and hospital systems have focused their security efforts on protecting electronic health records (EHRs), patient portals, and payment infrastructures. Yet, a critical threat is hiding mostly out of sight—the cybersecurity risk of implanted medical devices.

Implanted Cybersecurity Risks

Medical devices from pacemakers to insulin pumps, cochlear implants, glucose meters, nerve stimulators and more have revolutionized healthcare, improving quality of life and outcomes for millions of people. However, these devices’ reliance on wireless connections and software makes them potential targets for cyberattacks. If they are compromised, it could lead to the exposure of sensitive patient data or worse, direct harm to patients such as drug overdoses or delivering electric shocks at the wrong time.

These medical devices can connect to hospital and healthcare networks, potentially serving as entry points for direct access or lateral movement to access databases and web servers potentially exposing valuable patient, healthcare, and/or financial data.

We have seen several recurring vulnerabilities in implanted medical devices. These include unchanged default passwords, unpatched firmware, and web-facing misconfigurations. Collectively, these issues create entry points for malicious actors to gain access to patient health information, take control of devices, or manipulate them, putting patient safety at significant risk.

Weak Links in Device Security Create Real Concerns

One of the most pressing security concerns is that default passwords are often set by medical device manufacturers and rarely changed once a device is implanted in a patient. This creates a simple entry point for attackers, who can easily obtain these default passwords from publicly available sources. At the same time, misconfigured internet-connected devices can also create easy access points for cybercriminals to exploit.

Outdated firmware is another critical issue. Once a device is implanted, it is not always feasible to update its software when a new vulnerability is discovered. Even when manufacturers can develop patches, they may face delays due to FDA regulations that require rigorous testing and approval before updates can be distributed. While these regulations are vital for ensuring the safety and efficacy of medical devices, they also create a time lag that leaves patients vulnerable to cyberattacks.

The real-world consequences of such vulnerabilities are far from hypothetical. In recent years, Medtronic issued two recalls for insulin pumps for cybersecurity vulnerabilities that could allow hackers to alter insulin delivery settings. Although no attacks were reported, these recalls highlighted how real the threat is. As connected healthcare devices continue to proliferate and the attack surface grows, it becomes ever more critical to proactively address these risks.

The Need for FDA Patch Approval Reform

The regulatory framework around medical devices creates another major challenge in addressing these vulnerabilities. While the FDA plays a crucial role in ensuring the safety of medical devices, its approval process can create a bottleneck for cybersecurity improvements and patch deployment. When manufacturers discover security vulnerabilities in devices that have already been approved, they must still go through the FDA’s lengthy approval process for patch updates, even when the vulnerability poses an immediate security risk. 

To mitigate this issue, it is essential that the FDA adopts a more agile regulatory framework that balances patient safety with the need for timely cybersecurity updates. One solution could involve pre-certifying security updates so that they can be implemented without going through the full approval process each time.

Recommendations for Improving Medical Device Security

To enhance the security of implanted medical devices, healthcare organizations and the FDA should take the following steps:

  1. Mandatory Security by Design: Device manufacturers should be required to implement cybersecurity features during the design phase, including using encrypted communications, multi-factor authentication, and built-in update mechanisms that allow for timely patching. Currently, this is only suggested in the FDA guidance.
  2. Change Default Settings: Hospitals and clinics must enforce policies that require passwords and configuration settings to be changed as soon as devices are deployed. This step alone could eliminate a significant number of vulnerabilities.
  3. Strengthening FDA Oversight: The FDA should develop a more streamlined process for security patches, allowing for expediting the review of updates that address critical vulnerabilities.
  4. Ongoing Training and Awareness: Healthcare providers also need to invest in cybersecurity training programs to ensure that staff are aware of the risks associated with medical devices. This includes developing protocols for responding to cyber incidents involving medical devices.
  5. Collaboration Between Government and Industry: Finally, government agencies and the private sector should collaborate more closely to share threat intelligence and best practices for securing medical devices. By having the latest information on medical device threats and potential attack techniques, healthcare organizations can improve their security. 

A Call to Action for Healthcare Leaders

Connected medical devices and their cybersecurity risks will only continue to grow. To protect patient safety and data, it is imperative that healthcare providers, manufacturers, and regulators work together to address these vulnerabilities now. While protecting EHRs, patient data and payment systems is crucial, the hidden risks of connected medical devices need to be uncovered and taken seriously. The stakes are simply too high.


About Andrew Speir

Andrew Speir is the Vice President of Advanced Cyber Solutions and Commercial Services at Core4ce, a data-minded company serving national and enterprise security communities, with over a decade of experience in cybersecurity and healthcare IT industries. Currently, he leads corporate campaigns and oversees the Defense Health division, including a $350 million portfolio, $100 million in annual revenue, and 250 employees.

Before Core4ce, Speir managed CACI International’s NIWC and DHA healthcare IT portfolio, including the $90 million Medical Information Delivery System Engineering Support (MIDSES)contract. At Honeywell Technology Solutions, he worked with both DHA and NIWC civilians to co-author the Risk Management Framework Process Guide, which the Defense Health Agency now uses to meet National Institute of Standards and Technology (NIST) and DoD cybersecurity standards for Authority to Operate.

  • LinkedIn
  • Twitter
  • Facebook
  • Email
  • Print

Tap Native

Get in-depth healthcare technology analysis and commentary delivered straight to your email weekly

Reader Interactions

Primary Sidebar

Subscribe to HIT Consultant

Latest insightful articles delivered straight to your inbox weekly.

Submit a Tip or Pitch

Featured Insights

2025 EMR Software Pricing Guide

2025 EMR Software Pricing Guide

Featured Interview

Kinetik CEO Sufian Chowdhury on Fighting NEMT Fraud & Waste

Most-Read

WeightWatchers Files for Bankruptcy to Eliminate $1.15B in Debt

WeightWatchers Files for Bankruptcy to Eliminate $1.15B in Debt

KLAS: Epic Dominates 2024 EHR Market Share Amid Focus on Vendor Partnership; Oracle Health Sees Losses Despite Tech Advances

KLAS: Epic Dominates 2024 EHR Market Share Amid Focus on Vendor Partnership; Oracle Health Sees Losses Despite Tech Advances

'Cranky Index' Reveals EHR Alert Frustration Peaks Midweek, Highest Among Admin Staff

‘Cranky Index’ Reveals EHR Alert Frustration Peaks Midweek, Highest Among Admin Staff

Madison Dearborn Partners to Acquire Significant Stake in NextGen Healthcare

Madison Dearborn Partners to Acquire Significant Stake in NextGen Healthcare

Wandercraft Begins Clinical Trials for Physical AI-Powered Personal Exoskeleton

Wandercraft Begins Clinical Trials for Physical AI-Powered Personal Exoskeleton

Chipiron Secures $17M to Transform MRI Access with Portable Scanner

Chipiron Secures $17M to Transform MRI Access with Portable Scanner

Abbott to Integrate FreeStyle Libre Glucose Data with Epic EHR

Abbott to Integrate FreeStyle Libre Glucose Data with Epic EHR

5 Ways New Trump Administration Tariffs Are Impacting U.S. Healthcare Now

5 Ways Trump Administration Tariffs Are Impacting U.S. Healthcare Now

iCAD, GE HealthCare Integrate to Advance Breast Cancer Detection with AI

RadNet to Acquire iCAD for $103M in All-Stock Transaction

Virta Health Cuts GLP-1 Use for Weight Loss Over 50%, Driving Cost Savings for Payers

Virta Health Cuts GLP-1 Use for Weight Loss Over 50%, Driving Cost Savings for Payers

Secondary Sidebar

Footer

Company

  • About Us
  • Advertise with Us
  • Reprints and Permissions
  • Submit An Op-Ed
  • Contact
  • Subscribe

Editorial Coverage

  • Opinion
  • Health IT
    • Care Coordination
    • EMR/EHR
    • Interoperability
    • Population Health Management
    • Revenue Cycle Management
  • Digital Health
    • Artificial Intelligence
    • Blockchain Tech
    • Precision Medicine
    • Telehealth
    • Wearables
  • Startups
  • Value-Based Care
    • Accountable Care
    • Medicare Advantage

Connect

Subscribe to HIT Consultant Media

Latest insightful articles delivered straight to your inbox weekly

Copyright © 2025. HIT Consultant Media. All Rights Reserved. Privacy Policy |