Guidance for patients and consumers
Patients and consumers using connected medical devices should:
- be fully informed about the potential cyber security risks these devices may expose them to
- take proactive action to protect their devices and networks, and act responsibly online
When receiving a medical device that has risks associated with cyber security, it is important that consumers are able to understand this risk and associated benefits in order to give informed consent. Alongside receiving information on the device, consumers are encouraged to ask their health professional questions to help build their understanding of using the device safely and securely. These questions might include:
- What are the risks, particularly cyber security risks, associated with use of a specific device and what alternative device options exist? What constitutes a cyber security risk?
- What default security settings are there to protect the user?
- What are the cyber security implications of changes to the device settings?
- When and how does the device connect to the internet?
- What data is collected by the device, where does it go, and who has access to it?
- How can a user tell if a device has been hacked or compromised and who can they talk to if this is suspected?
- Who should the user talk to if they learn about vulnerabilities (e.g. from the media or TGA) that might affect the device?
- What does the user need to do to maintain the device (e.g. software updates)?
The Australian Cyber Security Centre provides guidance to consumers and small business operators to help reduce cyber security risk associated with software vulnerabilities, online scams, malicious activities and online behaviours. This is important for:
- maintaining the operating integrity of a medical device so that it may continue to deliver its intended therapeutic benefit
- assisting in maintaining the confidentiality, integrity and availability of medical devices and their data
- creating a cyber safe operating environment for connected medical devices
Home users should be aware of what content they share online, both in public and private forums, particularly relating to personal information.
- Some digital health products (e.g. medical software apps) may provide a forum for users to interact. However, asking specific questions and sharing of information that can lead to personal identification should be carefully considered.
To provide maximum security of information, the Australian Government recommends users choose strong (long, complex, unpredictable and unique) phrases (a phrase made up of at least 14 characters ideally four or more words) over other types of passwords when setting up devices and accounts or updating their log in details. Passphrases can be used when multi-factor authentication is not available. Multi-factor authentication should be used when available. When creating and using passphrases, best practice is to:
- Avoid reusing the same passphrase across different services especially if they are registered under the same email address.
- Never share your passphrases with anyone
- Be aware of your surroundings when using log in details in public.
- Only use trusted connections, or a Virtual Private Network (VPN) when accessing an account, as using public Wi-Fi, without the use of a VPN, increases the risk that your information could become compromised.
- Many connected medical devices will require an account to be created, either in a companion app or an associated online platform. It is recommended that strong passphrases be used to protect these accounts, their associated information and any control that unauthorised access may allow.
Treat any unexpected messages with caution.
- Some devices, and even some treating health and medical professionals, will communicate to a patient/consumer via electronic messaging (e.g. text message, email, chat function on web portal). Users should exercise caution and ensure that the message is trusted before acting on any information contained within it. If in doubt, contact the sponsor or medical professional, don’t use the details or any links in the suspicious message, use contact details that you trust.
Online health and medical details
Similar to online banking details, criminals are eager to steal personally identifiable health information. Users should ensure that connected devices—including computers, mobile devices, and medical devices—comply with the operating instructions provided with a medical device. Refer to “Guidelines for System Hardening” on the ACSC website: www.cyber.gov.au for more details.
Tablets and mobiles
These days tablets and mobile phones are often an accessory to a medical device. For example, a medical device may have a phone app that assists in using the device or collecting data. In these cases the security of the phone or tablet can directly affect the security of the medical device.
Users should turn on the security features of their mobile devices, set a password/phrase or PIN that must be entered to unlock the device, install reputable security software and ensure they are using the most up-to-date operating systems. Refer to guides on “Mobiles and Tablets” on the ACSC website: www.cyber.gov.au for more details.
Backups and updates
Regularly updating applications (e.g. phone apps and operating systems) associated with medical devices is important because the most up-to-date software will generally be the most secure.
Users can reasonably expect that manufacturers will provide security updates, disclose known vulnerabilities and make available sufficient information for a user to discuss with their health care professional and decide whether to apply or not apply updates and other improvements.
Medical devices may be attacked through the networks they are connected to, some of which are home networks (e.g. home WiFi or internet). Therefore, updating security software for your home networks and IT equipment is also important for protecting your medical devices. Users should make sure their computers are secure and up-to-date and should regularly update the firmware within their routers and modems, or turn on automatic updates.
As with other data and systems, backups are important so that, in the worst case, the system can be recovered and restarted. Data and settings collected by medical devices can be critical to a user’s health care, so users should make sure that this data is backed up with their other critical data.
Using smart devices in the home
The Stay Smart Online program also offers the following advice for users of smart devices in the home, which may include medical devices:
- Whenever possible, change any default passwords on the device to a secure and private passphrase.
- Medical devices often come with default passwords so that doctors and consumers can start the device after buying it. However, these passwords are known by others and may be easily guessed.
- When practical and safe, ensure software updates are set to apply automatically on any devices.
- Special consideration should be given for medical devices because updating them can affect the medical care that the devices provide. Check with your doctor about automatically updating your medical devices or their accessories.
- Follow all instructions when installing and configuring the settings for the device.
- Patients and consumers using connected medical devices should always read and understand the information provided with the medical device, including its intended purpose and any limitations of use, the instructions for maintenance and use of the device, and how updates are to be provided for the device (e.g. software and firmware updates). Patients and consumers should also talk to their clinician if they have any questions about the instructions.
- Continue to be vigilant about protecting devices throughout their lifespan.
- When using connected medical devices outside the home, users should exercise caution, especially if using public wireless networks or internet ‘hotspots’ that are run by organisations that are not trusted, and avoid sending or receiving sensitive information while connected to public networks.
- Consider that attackers also have easy access to public networks. This means that information can be easier to intercept and you have one less layer for securely protecting your medical device.