You are here

Medical device cyber security – Consumer information

18 July 2019

Digital technology in your medical devices

You may have noticed that some of your medical devices can connect to the internet, communicate with your mobile phone, or might send information to other people, such as your doctor or the company that made the device.

These features, enabled by digital technology, aim to make your devices more useful. They can help you control the device, monitor your health at home, or share information that your doctor might use to diagnose or treat you.

Some examples of medical devices with digital technology include:

  • apps on your smartphone that allow you to record information, such as blood glucose readings and carbohydrate intake, that will be used to determine treatments, such as insulin injections
  • implanted devices that can be remotely controlled, such as cardiac pacemakers
  • hearing aids that may be controlled by your smartphone
  • continuous positive airway pressure (CPAP) machines that treat sleep apnoea, and communicate therapy information to your doctor.

Safely using connected and digital medical devices

Questions to ask about your device

When being prescribed or purchasing a medical device, you need to understand any potential risks associated with cyber security. Depending on the question, either your doctor or the manufacturer of the medical device can be good sources of information. In relation to cyber security, questions to ask could include:

  • What are the cyber security risks associated with use of my device?
  • What are the default security settings?
  • What happens to the security of the device if I change the default settings?
  • When and how does this device connect to the internet (including home WiFi, mobile networks, and public WiFi)?
  • What information is collected and stored on the device or my smartphone, where does it go, and who has access to it?
  • How can I tell if a device has been hacked or compromised and who should I talk to if this is suspected?
  • What do I need to do to maintain the device (e.g. updates)?
  • If the device connects to my smartphone, do I need to check any settings on the smartphone, such as password settings and connectivity settings?

What happens if there is a cyber security problem or incident that might affect my device?

My device is an app on my smartphone, computer or tablet.

If the cyber security problem is with the operating system of your smartphone, computer or tablet, or, a specific app, you will usually receive an alert from the manufacturer. They may ask you to update software or change your password etc.

My device is a dedicated medical device with digital connectivity, e.g., a digital glucose monitor.

If you become aware that there is a cyber security issue relating to your medical device, follow the manufacturer’s instructions or seek further information from the manufacturer.

If you are concerned that the cyber security issue with your device will affect your health, you should speak to your doctor.

How to secure your medical device

Follow instructions when using your device

You should always read the information provided with your medical device, including its instructions for safe use and maintenance, its intended purpose and any limitations associated with its use. If you have misplaced or do not understand the information provided with the medical device and are concerned that this may affect your safety, talk with your doctor.

Protect your device throughout its lifespan

It is important that you continue to keep your connected medical devices up-to-date with the latest version of software. This is to ensure that the device remains as cyber-secure as possible in the event of new cyber security issues. Your doctor or the device manufacturer will have information on the latest updates available for your device.

Be careful when away from home

Always be careful when using your medical device outside your home environment. If possible, avoid connecting to public networks that can be accessed by many people. If you cannot avoid connecting to a public network, try to minimise sending or receiving sensitive information during this period.

Use passphrases

The password that comes with your medical device may not be strong enough. To improve your protection, change from a password to a hard-to-guess passphrase. The Australian Government recommends that passphrases be made up of at least four words. A passphrase is a phrase that only you are likely to know and that is easy for you to remember, but hard for someone else to guess. Avoid reusing the same passphrase, even a good one, across different services, especially if they are registered under the same email address.

Turn off features that you do not use

Your device might have some communicating capabilities that you don’t always use or need. One example is a Bluetooth capability that automatically allows your device to connect to your computer or a nearby WiFi network. If you do not use this feature or only use it sometimes, you should turn the feature off when not needed. You should speak to your doctor before turning off any features.

How to secure your digital environment

Secure your computing devices

Using security features on your computing devices (computer, laptops, smartphones, tablets, etc.) is important. These security features include:

  • the use of a passphrase or pin to unlock the device
  • making sure that your devices have current security software
  • keeping your software updated when prompted by your device.

Using the internet on your personal computer devices can affect the security of your network, which in turn can affect your medical device if it is connected to this same network.

Use backups and protection

We all store a lot of precious data on our computers, such as photos and important documents. Your medical device might also be storing valuable data for your healthcare.

Creating backups of your data can help you recover it if something does go wrong. This involves creating an extra copy of your data on a storage device, such as a USB or external hard drive, or to a reputable online cloud service. For further information see Stay Smart Online.

How to be cyber smart

Pay attention to privacy

Always think about the type of information you are sharing with people, and ask yourself why someone needs that information.

  • Consider if the people you are giving your data to are trustworthy.
  • How will sharing your data affect your security?
  • What benefit will you receive by sharing your data?

For further information see Stay Smart Online.

You might share information when you use your medical device with a health professional or the company that makes the device. If medical devices do this automatically, it should be disclosed in the user manual or other instructions for use. If not, ask your doctor or the manufacturer of your device.

You may also want to share information about your health management in online forums with people who have similar health conditions. Before you share this kind of information, consider whether anything you share might compromise your privacy, safety or cyber security.

Be aware of suspicious messaging

Sometimes your doctor or your medical device will communicate with you via an electronic message, such as a text message, email, chat function or web portal. Hackers might try to replicate this messaging to obtain your information directly, or get you to click on a link that could take you to a malicious website to obtain sensitive information from you, or that could break the integrity of your device.

You should exercise caution and ensure that a message is from a trusted person before acting on any information contained within it. If in doubt, do not respond and contact you doctor or the medical device manufacturer using contact details listed in a place other than within the suspicious message.

Browse responsibly

Some webpages can be unsafe and can affect your computer just by visiting them. You should minimise visits to unknown websites and look for the padlock symbol or 'https' in the browser address when visiting websites. For further information see Stay Smart Online.

How to report

If a medical device appears to have been affected by a cyber security issue and could directly affect your health or safety, you should:

Reports are an important source of information for the TGA to assess the safety, quality and performance of medical devices. When you submit a report to the TGA, even if there is no direct outcome for you, you are contributing to the ongoing collection of information that helps ensure the safety, quality and performance of medical devices in Australia.