Patrick Maw, an expert in medical device cybersecurity at University College London Hospitals NHS Foundation Trust, recently gave a talk at IoT Tech Expo Global highlighting the cybersecurity threats facing connected medical devices.
Maw explained that a wide range of medical equipment now connects to healthcare networks, from infusion pumps and CT scanners to mobile devices running medical apps.
“Software is a medical device in its own right,” stated Maw, drawing attention to the expanding realm of medical technology.
While connected devices enable more comprehensive electronic health records and improved patient care, it also exposes vulnerabilities.
Maw warns that many devices run on outdated operating systems like Windows 7 that no longer receive security updates. Others can’t support antivirus software or patches without impacting functionality or regulatory compliance.
Such highly vulnerable devices leave clear openings for cyberattacks. Maw cited real-world examples like the 2017 WannaCry ransomware attack that severely disrupted NHS trusts. Over 140 known hacking groups could pose similar threats.
“We were getting patches for the Windows-based medical devices six months after WannaCry hit,” says Maw. “I’m hoping that suppliers will do better now, but there’s generally quite a delay.”
According to Maw, the most common attack vectors include phishing emails, malware infections, and targeting third-party software vendors to compromise supply chains.
To balance medical connectivity and security, Maw advises that healthcare organisations take measures like installing firewalls, network intrusion systems, and network segmentation to create protected zones for critical devices. Legacy systems too outdated to harden may need isolation.
Delving into the regulatory landscape, Maw provided a succinct overview of the Medical Device Directives of 1993, emphasising the criteria that define a medical device. He highlighted the 2017 updates, pointing out the evolving nature of regulations and the need for adherence to performance and safety standards.
Classification — based on risk — categorises medical devices into classes 1, 2A, 2B, and higher, depending on their potential impact.
“The key thing to remember is all these are regulated medical devices and you cannot change them without having to be recertified,” explains Maw.
Maw addressed the critical question of why medical devices are networked in the first place. He explained that the integration is driven by the necessity for a comprehensive patient record, aiming to replace cumbersome manual records with efficient electronic systems.
The shift towards unified systems — exemplified by UCLH’s implementation of EpicCare — streamlines patient information, reduces the risk of errors, and ensures a more accurate and accessible medical history.
Maw warns the sector cannot revert to paper records, so cybersecurity must be an ongoing investment. As connectivity expands, so too must cyber protections around medical systems and patient health data.
Want to learn about the IoT from industry leaders? Check out IoT Tech Expo taking place in Amsterdam, California, and London. The comprehensive event is co-located with Cyber Security & Cloud Expo and Digital Transformation Week.
Explore other upcoming enterprise technology events and webinars powered by TechForge here.