Medical Devices and Cybersecurity: Should You Worry about ECG Security?

Cybercrime hit an all-time high in 2020, and healthcare was an attractive target. As hospitals went into crisis mode and medical desk work became virtual, the challenges of COVID-19 opened new doors for hackers worldwide, and the U.S. Department of Health and Human Services (HHS) is warning that this problem may worsen in the future.¹

Amid the fears about medical devices and cybersecurity, items like pacemakers and insulin pumps have tended to garner the most mainstream press, but other monitoring tools, such as ECG, also warrant attention.

After all, "everything is hackable" says Kevin Fu, the FDA's new head for medical device security at the Center for Devices and Radiological Health.² Like any other connected medical device, ECGs are networked and therefore vulnerable to remote access. When devices are linked to outdated operating systems that no longer have active security support, it becomes even more likely that someone, somewhere will break in.

Why ECG Security Matters

As the HHS noted in June 2021, a large hospital's network might have roughly 85,000 medical devices connected to it at any given time.³ If any of those devices is hacked—including one linked to an ECG—it could have serious consequences, from data breaches of personal health information (PHI) to harmful effects on patient care.

One concern involves the devices themselves: if a monitoring tool such as ECG is accessed maliciously, unresolved vulnerabilities could allow hackers to reprogram the device from afar and impact its performance in real time.

Another more expansive risk relates to the network at large. Security problems with a single point, such as an ECG, could give hackers access to other devices and data connected to the network. For example, if an EMR shares the same network as an ECG, they would both contribute to privacy risk in this regard. If the ECG system is compromised, it could expose other medical equipment, which could lead to additional health and safety risks.

Hackability in the broader network can also invite ransomware attacks that could allow cybercriminals to hold systems hostage in exchange for a ransom. Such attacks are on the rise in hospitals as well as other areas of critical infrastructure, such as transit and utilities. The first ransomware-related death happened in 2020 in Germany when a hospital could not care for a patient while its systems were under hacker control.⁴

As more concerns about network hackability materialize post-pandemic, agencies like CMS and the FDA are taking more interest in cybersecurity regulations, requirements, and policies.^5,6

---

Stay on top of cardiology trends and best practices by browsing our Diagnostic ECG Clinical Insights Center.

---

Tips to Safeguard Medical Devices and Cybersecurity

As clinics and hospitals assess their cybersecurity ecosystems, physicians can do their part by working with security and IT teams to make sure healthcare technology stays up to date and patched (a process where security flaws are found and corrected). As one study in the Journal of Medical Internet Research reports, many patient monitoring tools are unpatched and therefore susceptible to attack.⁷

Replacing legacy or outdated computers (such as those that run old versions of Windows) with new systems that have modern-day security features is equally imperative. Ask vendors like GE Healthcare for guidance on what to replace and when.

According to physician groups such as the American Medical Association,⁸ other best practices for care team members include:

• Maintaining separate Wi-Fi networks for guests and the practice.
• Logging out when not using connected devices like ECG systems.
• Changing the default passwords of new devices and machines.
• Always enabling two-factor authentication when the option is available.
• Using anti-virus software when the option is available and leaving the computer on when updating.
• Using an encrypted virtual private network (VPN) when accessing the practice network remotely.

In addition, healthcare providers should be mindful of clicking on links or opening attachments from suspicious emails. Hackers often use a tactic called phishing to deploy harmful code called malware into email correspondence. Phishing can also lead to ransomware attacks.

Should You Worry About ECG Security?

ECG security is critical, but physicians should also be concerned about the security of thousands of other devices that are constantly delivering information to and from the hospital network. Cybercriminals are constantly finding new and creative ways to exploit vulnerabilities in devices like these, which only deepens concerns about privacy and patient care.

With caution and diligence, physicians, including cardiologists, can support better cybersecurity for ECGs and the thousands of other devices they use daily.

References:

1. U.S. Department of Health & Human Services Cybersecruity Program, Office of Information Security. 2021 Forecast: The Next Year of Healthcare Cybersecurity. U.S. Department of Health & Human Services. https://www.hhs.gov/sites/default/files/2021-hph-cybersecurity-forecast.pdf
2. Slabodkin G. FDA wants to require timely updates, patches for legacy devices: cyber chief. MedTech Dive. https://www.medtechdive.com/news/FDA-cyber-chief-talks-medical-device-risks-agency-priorities/602625/
3. U.S. Department of Health & Human Services Office of the Inspector General. Medicare Lacks Consistent Oversight of Cybersecurity for Networked Medical Devices in Hospitals. U.S. Department of Health & Human Services. https://oig.hhs.gov/oei/reports/OEI-01-20-00220.pdf
4. O'Neill P H. A patient has died after ransomware hackers hit a German hospital. MIT Technology Review. https://www.technologyreview.com/2020/09/18/1008582/a-patient-has-died-after-ransomware-hackers-hit-a-german-hospital/
5. Drees J. CMS considers making medical device cybersecurity part of hospitals' Medicare accreditation reviews. Becker's Hospital Review. https://www.beckershospitalreview.com/cybersecurity/cms-considers-making-medical-device-cybersecurity-part-of-hospitals-medicare-accreditation-reviews.html
6. U.S. Food & Drug Administration Digital Health Center of Excellence. Cybersecurity. U.S. Food & Drug Administration. https://www.fda.gov/medical-devices/digital-health-center-excellence/cybersecurity
7. Ying H et al. Health care cybersecurity challenges and solutions under the climate of COVID-19: Scoping Review. Journal of Medical Internet Research. Apr 2021; vol. 23 (iss. 4). https://www.jmir.org/2021/4/e21747
8. American Medical Association Sustainability. Physician cybersecurity. American Medical Association. https://www.ama-assn.org/practice-management/sustainability/physician-cybersecurity