FDA Urges Medical Device Makers and Hospitals to Increase Security
Cybersecurity incidents reported involving some medical devices have prompted the U.S. Food and Drug Administration to issue stern warnings to medical device manufacturers and health care facilities to ramp up safeguards.
“Many medical devices contain configurable embedded computer systems that can be vulnerable to cybersecurity breaches,” stated the FDA. “In addition, as medical devices are increasingly interconnected, via the Internet, hospital networks, other medical device, and smartphones, there is an increased risk of cybersecurity breaches, which could affect how a medical device operates.”
The idea of malware in a pacemaker or a ventilator is chilling. As SC Magazine noted, “At the 2011 Black Hat conference in Las Vegas, researcher and Type 1 diabetic Jay Radcliffe demonstrated how he is able to send commands to wirelessly disable (within about 150 feet) the insulin pump he has been wearing since he was 22.”
Although no patient injuries or deaths have been reported, the FDA cited incidents such as malware on hospital computers, smartphones, and tablets that targeted mobile devices using wireless technology to access patient data, monitoring systems, and implanted patient devices. The FDA also warned that some healthcare facilities are failing to install security software updates and patches to medical devices and networks in a timely manner, putting patient care and data at risk.
The FDA-recommended safeguards for medical device manufacturers include:
- Limiting device access to trusted users only, particularly for those devices that are life-sustaining or could be directly connected to hospital networks. Appropriate security controls may include: user authentication, for example, user ID and password, smartcard or biometric; strengthening password protection by avoiding hard-coded passwords and limiting public access to passwords used for technical device access; physical locks; card readers; and guards.
- Protecting individual components and develop strategies for active security protection, such as deploying routine, validated security patches in a timely manner and restricting software or firmware updates to authenticated code.
- Using design approaches (“fail-safe modes”) that maintain a device’s critical functionality, even when security has been compromised.
- Providing methods for retention and recovery after a cybersecurity incident.
The FDA-recommended safeguards for hospitals and health care facilities include:
- Restricting unauthorized access to the network and networked medical devices
- Making certain appropriate antivirus software and firewalls are up-to-date
- Monitoring network activity for unauthorized use
- Protecting individual network components through routine and periodic evaluation, including updating security patches and disabling all unnecessary ports and services
- Contacting the specific device manufacturer if you think you may have a cybersecurity problem related to a medical device. If you are unable to determine the manufacturer or cannot contact the manufacturer, the FDA and DHS ICS-CERT may be able to assist in vulnerability reporting and resolution.
- Developing and evaluating strategies to maintain critical functionality during adverse conditions
If you suspect cybersecurity breaches involving a medical device or a hospital network system, the FDA encourages you to file a voluntary report through MedWatch, the FDA Safety Information and Adverse Event Reporting program.