Contributor: Vidya Murthy, WEMBA’42
To learn more about Vidya, click here.
The Convergence of Technology and Patient Care
Imagine a bustling hospital, the heart of modern healthcare. Sophisticated medical imaging devices — MRI machines, CT scanners, X-ray machines, and ultrasound systems — are the workhorses of care delivery, providing critical insights for diagnosis and treatment. In 2024, Forescout Technologies highlighted the most vulnerable connected medical devices, with DICOM (Digital Imaging and Communications in Medicine) workstations and PACS (Picture Archiving and Communication System) at the top of the list. For healthcare leaders operating not just in the US but also within the European Union, understanding and mitigating the software vulnerabilities in medical imaging devices isn't just an IT issue; it's a crucial business and patient safety imperative - no matter whether you manage a hospital or are a manufacturer of imaging devices.
The Intricate Software Ecosystem of Medical Imaging
These imaging devices aren't just hardware; they're complex systems dependent on a web of software components. Think of it as a software stack:
- Operating systems (often older, embedded versions)
- Image acquisition and processing software
- Network communication protocols (DICOM for images, HL7 for orders, patient data, reports, and billing)
- Integration with hospital information systems (HIS) and picture archiving and communication systems (PACS).
This complexity creates challenges. Interoperability issues can lead to security gaps. Maintaining devices’ security posture requires reliable patching cadence, but many devices are considered ‘legacy’ and patches are no longer available. Proprietary software makes independent security audits challenging. For example, a vulnerability in the DICOM communication protocol, as highlighted by researchers from Aplite, could potentially allow unauthorized access to millions of patient images.
Why Imaging Devices are Prime Targets for Cyberattacks
Why are these devices so vulnerable? Several factors make them prime targets:
- High-Value Data: Medical images contain sensitive protected health information (PHI), making them attractive targets for data breaches and ransomware attacks.
- Critical Infrastructure: These devices are essential for diagnosis and treatment. Disruptions can have severe consequences for patient care and hospital operations.
- Interconnectedness: Integration with hospital networks but also to external referring physicians and specialists expands the attack surface, providing pathways for lateral movement within the system.
- Lifespan Discrepancy: Medical devices have long lifespans, while software and cybersecurity threats evolve rapidly, leading to broad and prolonged exposure to vulnerabilities.
- Computer Likeness: More so than other medical devices, imaging systems are architecturally closer to regular computers and therefore are exposed to a multitude of viruses and attacks written against standard computer environments but may inadvertently compromise imaging - whether the attack was targeted or not.
The Business Implications of Unsecured Imaging Devices
To contextualize what this means, the WannaCry ransomware attack on the UK NHS compromised computer systems but also medical devices, such as MRI machines and infusion pumps. There is no evidence that the attack was a targeted event, yet, it resulted in appointment cancellations, delayed diagnoses, and significant financial losses estimated at £92 million in disruption to services and IT upgrades. The identified impact of an insecure device being exploited are:
- Financial Losses: Ransomware payments, legal fees, regulatory fines (HIPAA violations in the US, GDPR fines in the EU).
- Reputational Damage: Loss of patient trust and negative media coverage, impacting market share and patient acquisition.
- Operational Disruptions: Downtime of critical equipment, impacting patient flow and revenue.
- Patient Safety Risks: Delayed or incorrect diagnoses due to compromised systems, leading to potential liability and regulatory sanctions.
- Increased Insurance Premiums: Higher costs associated with cyber insurance in recognition of elevated risks.
The Regulators Stance on Cybersecurity: Prioritization Amidst Resource Constraints
While discussions about resource allocation for regulatory bodies exist, cybersecurity of medical devices remains a high priority for both the FDA and EU lawmakers.
- FDA: The FDA has numerous guidance documents emphasizing premarket submissions requiring cybersecurity considerations and postmarket management of vulnerabilities.
- EU MDR: The EU MDR (Regulation (EU) 2017/745) explicitly addresses cybersecurity in Annex I, Chapter III concerning the information supplied with the device and general safety and performance requirements. It mandates that devices are developed and manufactured according to the state of the art, considering risk management, including information security and protection against unauthorized access. Guidance documents like MDCG 2019-16 provide further detail on fulfilling these requirements. You can find more information on the EU MDR requirements here and here. Both regulatory frameworks emphasize a "security by design" approach and require manufacturers to conduct risk assessments and implement robust security measures throughout the device lifecycle.
Mitigating the Risks
As you head into the second half of the year, the following strategies (if executed in 2025) can inform priorities in 2026:
- Comprehensive Risk Assessments: Regularly identify and evaluate software vulnerabilities in imaging devices, aligning with both FDA and EU MDR risk management expectations.
- Robust Patch Management Programs: Establish processes for timely updates and patching of software, adhering to post-market surveillance requirements in both regions.
- Network Segmentation: Isolate medical device networks to limit the impact of breaches, a recommended security practice globally.
- Strong Access Controls: Implement multi-factor authentication and role-based access, crucial for compliance with both HIPAA and GDPR.
- Security Awareness Training: Educate clinical and IT staff on cybersecurity best practices relevant to both US and EU regulations.
- Collaboration with Manufacturers: Engage with vendors to understand their security measures and update schedules, ensuring compliance with both pre-market and post-market requirements.
- Incident Response Planning: Develop and test plans to address potential cyberattacks, a critical element for mitigating the impact of breaches under both US and EU frameworks.
Addressing software vulnerabilities in medical imaging devices is critical. Proactive cybersecurity measures are not just an IT concern but a fundamental aspect of quality patient care and sound business management. Healthcare leaders must prioritize cybersecurity investments and foster a culture of security within their organizations.
Contact Vidya at: [email protected]