Getty Images/iStockphoto

University of Minnesota Unveils Center for Medical Device Cybersecurity

The new Center for Medical Device Cybersecurity aims to cultivate collaboration between students, the tech industry, and government.

The University of Minnesota announced the new Center for Medical Device Cybersecurity (CMCDC), spearheaded by funding from leading medical device manufacturers including Smiths Medical, Optum, Boston Scientific, Medtronic, and Abbott Laboratories.

The center aims to “foster university-industry-government collaborations to ensure that medical devices are both safe and secure from the growing number of cybersecurity threats,” the university’s announcement explained.

The CMDC was the result of requests from the medical device manufacturing industry to form a hub for workforce training, outreach, and discovery to bolster the emerging field. The center will focus on researching and developing new technologies, as well as providing education and training to address cyber threats.

The CMDC will live in the University of Minnesota’s Technological Leadership Institute (TLI), a center within the university’s College of Science and Engineering.

“While manufacturers can ensure a high-level of safety through testing, the security of connected-devices remains a growing and moving target, making this collaboration and the work of the CMDC critical to the industry and all those it serves,” Allison Hubel, TLI director, emphasized in the announcement.

In its first year of operation, the CMDC plans to host a hackathon, roundtable discussions, and networking events. The team is also working on developing a medical device cybersecurity short course and summer internship program.

“Cybersecurity for medical devices is critical in retaining the trust consumers place in health care companies for how the technology is used, and how health information is protected,” Allison Miller, chief information security officer at Optum, continued.

“By partnering with academic organizations, industry experts, and our peers we can help formulate policies, regulatory proposals and state-of-the-art testing so that we not only support the long-term success of secure medical devices, but also protect the patients who rely on medical devices for their care therapies.”

Medical device cybersecurity is an increasingly popular topic within the health IT space. In June, HHS’ Office of the Inspector General (OIG) conducted a study and found that Medicare accreditation organizations (AOs) rarely use their discretion to assess medical device cybersecurity through regular hospital surveys.  

OIG stressed that it is “more important than ever that hospitals have a plan for securing their networked devices—which can number in the tens of thousands in a large organization—before those devices are compromised in a cyberattack.”

This gap in accountability and risk assessment could open the door to bad actors who can remotely hack into medical devices and inflict patient harm.

McAfee researchers recently discovered significant gaps in specific models of B. Braun infusion pumps that could allow hackers to deliver double doses of medications to patients without detection.  

The US Food and Drug Administration (FDA) received 56,000 reports of adverse events associated with infusion pumps between 2005 and 2009.

While there have been no reports of cybercriminals hacking into medical devices and meddling with medication doses, the vulnerability discovery exposed significant gaps in medical device cybersecurity that cannot be ignored.

Next Steps

Dig Deeper on Cybersecurity strategies