Huge Potential Problem With Medical Devices

May 30, 2017
Paul M. da Costa

A startling two-thirds of medical device makers are concerned that their products may be susceptible to cyberattack.  Few, however, are taking the initiative to do anything about it.  A study conducted by Snopsys has found that less than one-fifth of these manufacturers are proactively seeking to prevent such attacks. 

Ponemon Institute, a cybersecurity company conducting “independent research on privacy, data protection and information security policy”, carried out a study of people who are involved in the examining of and contribution to the security protecting medical devices.  The study polled 242 medical device employees and 262 workers at healthcare providers.  The survey indicated that a staggering 67% of device makers are of the opinion that a cyberattack on the devices is likely while 56% of health delivery organizations believe same. 

According to the report of the two groups, only 17 % and 15%, respectively, are proactively taking significant measures to prevent such an attack.  This means that between 41% to 50% of people within these groups are knowingly doing nothing about a potential catastrophe of a problem.  Why? This might be a lingering question on your mind given such a massive discrepancy. 

The study attempted to procure an answer, and polled roughly 80% of people from the two groups above who argue that medical devices are simply too difficult to secure from cyberattack.  Only 25% believed the existing would suffice in the event of an attempted cyberattack.  Clearly, the industry has concern over this issue, and some 60% of device makers admit that the risk of a cyberattack on their devices is increased by the use of mobile devices.  Given such fear, the survey indicated that only one-third of medical device respondents claim their companies encrypt loT-device data, and only 39% of those utilize key management systems for their “encrypted traffic.”     

The industry concern regarding cyber threats to medical devices is rampant, and the Food and Drug Administration (“FDA”) has stepped in to outline steps manufacturers should take to prevent such hacking.  The FDA is recommending a few of the following guiding principles to device manufacturers:

  • Conduct appropriate software validation under 21 CFR 820.30(g) to assure that any implemented remediation effectively alleviates the target vulnerability without inadvertently creating other risks;
  • Appropriately document the methods and controls involved in the design, manufacture, storage, installation and servicing of all completed devices required by 21 CFR Part 820; and
  • To provide users with relevant information on the controls and residual cybersecurity risks as to take appropriate steps to mitigate the risks so they can be equipped to address incidents requiring immediate attention       


This guidance by the FDA will enable device manufacturers to develop ways to monitor and detect areas of susceptibility to cybersecurity attacks, assess the level of risk to patient safety, and find mitigations to address these threats in the early stages.

The director of Synopsys says that these findings highlight the importance of addressing measures to safeguard patients from a potential hack in an increasingly technologically savvy world.  He stresses that the industry must make a drastic and “fundamental shift” and stopping the threat before it happens. 

If you, or someone you know, may have been the victim of a cybersecurity attack while undergoing medical treatment, you may have a products liability or medical malpractice claim worthy of pursuing and you should contact Paul M. da Costa, Esq. at Sarno da Costa D’Aniello Maceri LLC.  Call Paul today at 973-274-5200.