FDA Issues Cybersecurity Warning for Medical Devices

The FDA is urging medical device manufacturers and health care facilities to take new measures to increase security against hackers and malicious computer viruses that could adversely effect medical equipment. 

In an FDA safety warning issued on June 13, the medical device regulators urged health care facilities and manufacturers to take steps to safeguard their networks and information before an attack occurs, reducing the risk of system failure in the event of an attack.

The agency outlined numerous avenues where cybersecurity may be vulnerable. The FDA warned that attackers can introduce malware into the medical equipment itself. Some devices have embedded computer systems that are vulnerable to breaches. Often medical devices and other computer devices used during treatment are interconnected via hospital networks, the internet, smartphones, tablets and other devices making them especially vulnerable to malware.

“Manufacturers are responsible for remaining vigilant about identifying risks and hazards associated with their medical devices, including risks related to cybersecurity, and are responsible for putting appropriate mitigation in place to address patient safety and assure proper device performance,” the FDA warned.

Other vulnerabilities such as uncontrolled distribution of passwords, failure to conduct security software updates and install patches and security vulnerabilities in retail software which was designed to prevent unauthorized network access can all result in network breeches or other security vulnerabilities, according to the agency.

FDA Calls for Proactive Approach

The FDA recommends manufacturers take necessary steps to limit the opportunities for vulnerability, unauthorized access or network breeches to medical devices by implementing cybersecurity practices and policies which will ensure safeguards are in place before an attack occurs.

Officials also advise manufacturers and medical facilities to limit network access to trusted users only, especially when life sustaining devices are involved. Vigilance is also recommended when a direct connection to hospital networks occurs.

There have been no patient injuries or deaths associated with any cybersecurity breeches or incidences to date. The FDA is also unaware of any devices or systems which have been purposely targeted for these reasons at this time.

The FDA recommends all medical facilities implement methods for retention and recovery of sensitive data in the event an incident should occur where security has been compromised.

Recently cybersecurity became an issue involving the protection of insulin pumps. In a demonstration conducted last year by McAffee, Inc., researcher Barnaby Jack revealed insulin pumps were more susceptible to hacking attempts than originally suspected.

According to the demonstration, hackers were able to remotely access the pumps from up to 300 feet away. After hacking the devices they are able to change the dosage and cause the pumps to deliver fatal doses of insulin. The security issues are known to also occur in a number of other medical devices which rely on wireless communication.