FDA urges protection of medical devices from cyber threats

Thu Jun 13, 2013 9:05pm EDT

Related Topics

(Reuters) - The U.S. Food and Drug Administration on Thursday urged medical device makers and medical facilities to upgrade security protections to protect against potential cyber threats that could compromise the devices or patient privacy.

It released that advisory in coordination with a separate alert from the Department of Homeland Security, which disclosed vulnerability in a wide variety of medical equipment that can make those devices vulnerable to remote attacks from hackers.

"Over the past year, we've become increasingly aware of cyber security vulnerabilities in incidents that have been reported to us," William Maisel, deputy director for science at the FDA's Center for Devices and Radiological Health, said in an interview. "Hundreds of medical devices have been affected, involving dozens of manufacturers," Maisel said, adding that many were infected by malicious software, or malware.

But he said all the infections appeared to be unintentional, largely due to malware and computer viruses that were circulating in hospital computer networks and jumped onto the devices.

An alert published on the government's Industrial Control Systems Cyber Emergency Response Team website, cited research from Billy Rios and Terry McCorkle of the cyber security firm Cylance Inc, who said they have identified more than 300 pieces of medical equipment that are vulnerable to cyber attack. They include surgical and anesthesia devices, ventilators, drug infusion pumps, patient monitors and external defibrillators.

The problem with the equipment is that it can be controlled using default passwords that can be obtained with relative ease by motivated hackers, Rios said in an interview. Those passwords give their holders complete control of the devices and in some cases can be used to gain that access remotely via the Internet, he said.

"Somebody could take over the device and make it do whatever they want it to do and it would be almost impossible for hospital staff to know that it had been tampered with," Rios said.

Rios and McCorkle are among a group of security experts who in recent years have suggested that medical devices such as insulin pumps and pacemakers could be vulnerable to hacking.

The FDA on Thursday said it is not aware of any patient injuries or deaths associated with devices and hospital computer networks that have been infected with malware and computer viruses.

In an advisory on its website, however, the FDA said manufacturers, hospitals and patients need to protect themselves better from the introduction of malware in medical equipment and unauthorized access to settings that control devices.

"Many medical devices contain configurable embedded computer systems that can be vulnerable to cybersecurity breaches," the agency said.

The risk of breaches has grown as devices have become increasingly interconnected, via the Internet, hospital networks, other medical devices and smartphones, the FDA said.

"Specifically we recommend that manufacturers review their cybersecurity practices and policies to assure that appropriate safeguards are in place to prevent unauthorized access or modification to their medical devices or compromise of the security of the hospital network that may be connected to the device," the agency said.

Among its recommendations, the FDA said manufacturers need to take steps to limit unauthorized device access to trusted users only, particularly for devices that are "life sustaining" or could be directly connected to hospital networks.

User IDs, passwords and other security controls need to be strengthened, including potential use of biometrics, the agency said. Moreover, manufacturers need to assure that devices recover and continue to work once security has been compromised.

"Cybersecurity incidents are increasingly likely," the FDA said, "and manufacturers should consider incident response plans that address the possibility of degraded operation and efficient restoration and recovery."

The FDA also urged health care facilities to evaluate their network security, including restricting unauthorized access to the network and networked devices.

(Reporting by Ransdell Pierson in New York and Jim Finkle in Boston; Editing by Ros Krasny, Dan Grebler and Bernard Orr)

We welcome comments that advance the story through relevant opinion, anecdotes, links and data. If you see a comment that you believe is irrelevant or inappropriate, you can flag it to our editors by using the report abuse links. Views expressed in the comments do not represent those of Reuters. For more information on our comment policy, see http://blogs.reuters.com/fulldisclosure/2010/09/27/toward-a-more-thoughtful-conversation-on-stories/
Comments (2)
randydutton wrote:
My 2012 novel, The Carbon Trap, opens with an assassination performed by a hacker taking control of a lecturer’s medical devices in front 1200 attendees. Think it can’t be done?

Jun 14, 2013 11:43am EDT  --  Report as abuse
powelltate wrote:
MITA agrees that cyber security risks are real and we look forward to working with the Food and Drug Administration (FDA) on this issue. Importantly, the FDA’s final cyber security guidance should incorporate risk-based provisions to ensure patient safety while also promoting timely patient access to diagnostic imaging and radiation therapy innovations. To that end, MITA and our member companies appreciate the opportunity to comment on the FDA’s draft guidance and continue our work with the agency to address this important issue.

-Gail Rodriguez, Executive Director of MITA

Jun 14, 2013 1:50pm EDT  --  Report as abuse
This discussion is now closed. We welcome comments on our articles for a limited period after their publication.