The Cybersecurity Threat in Every Health Care Facility

January 04, 2024

The Government Accountability Office (GAO) is calling on federal agencies to update their agreement to better protect heart monitors and other medical devices from cyberattacks.

In a new report, the GAO said the federal government needs to update its medical device cybersecurity agreement to ensure effective coordination across agencies.

“Cyber incidents that impact medical devices could delay critical patient care, reveal sensitive patient data, shut down health care provider operations, and necessitate costly recovery efforts,” the report notes.

Here’s what you need to know:

• The issue:  The FDA and the Cybersecurity and Infrastructure Security Agency (CISA) have a five-year-old agreement that needs to be updated to reflect modern challenges and best practices.
• Background:  Medical devices are not a common source for cyberattacks, but federal officials warn that disruptions to these devices could have far-reaching consequences for operations and patient care.  Potential devices susceptible to these attacks include insulin pumps, defibrillators, pacemakers, and pain pumps, among others.
• Key stats:  About 53 percent of connected medical devices and other “internet of things” devices had known critical vulnerabilities during January 2022.
  • There are more than six vulnerabilities per medical device on average.
• Next steps:  Both the FDA and CISA agreed to make updates to their agreement to reflect changes from recent years.
• Quotable:  “As devices become more integrated with medicine and more digitally interconnected, securing medical devices against cyber threats is imperative,” the report notes.

Known vulnerabilities for these devices include insecure default configuration, customized software that requires special upgrading and patching procedures, and a lack of security built into the design.

The full report is available online.

For more information about health care cybersecurity, contact Jason Tomashunas, MS, CHEP, HAP manager, emergency management.