A couple of years ago, we wrote about the vulnerability of certain insulin pumps to outside hackers. Since then, many more many medical devices with embedded computer systems also seem to be vulnerable to cyber security breaches. Add to that the increasingly interconnected nature of hospital networks and smartphones, and the risk of cybers ecurity breaches affecting medical device operations is compounded.
A hacker messing with your medical device can make you sicker, or even put you at risk of death.
The FDA gets it. The agency has issued an alert recommending that medical device manufacturers and health- care facilities take steps to assure that appropriate safeguards are in place to reduce the risk of failure due to cyberattack. Such attacks can result from malware sent directly to the medical equipment or by unauthorized access to configuration settings in medical devices and hospital networks.
At this point, the alert is strictly a warning—the FDA is not aware of any patient injuries or deaths associated with hacking, nor does it have any indication that any specific devices or systems in clinical use have been purposely targeted.
So this is a heads-up announcement for manufacturers, hospitals, medical device user facilities, health-care IT professionals and biomedical engineers to make medical devices secure, and keep those protections up to date.
For manufacturers, the FDA recommends:
-
Taking steps to limit unauthorized device access to trusted users, particularly for devices that are life-sustaining or could be directly connected to hospital networks. Such security controls can include: user authentication via password, smartcard or biometric; strengthening password protection; limiting public access to passwords used for technical device access; physical locks; card readers; and guards.
-
Protecting individual components from exploitation and developing strategies for active security protection such as timely deployment of routine, validated security patches and methods to restrict software updates to authenticated code.
-
Designs that maintain a device’s critical functionality, even when security has been compromised, known as “fail-safe modes.”
-
Providing methods for retention and recovery after security has been compromised.
For health-care facilities, the FDA recommends:
-
Restricting unauthorized access to the network and networked medical devices.
-
Ensuring that antivirus software and firewalls are up-to-date.
-
Monitoring network activity for unauthorized use.
-
Protecting individual network components through routine and periodic evaluation, including updating security patches and disabling all unnecessary ports and services.
-
Contacting the specific device manufacturer if you think you have a cyber security problem related to a medical device.
-
Developing and evaluating strategies to maintain critical functionality during adverse conditions.
If you or a loved one is being treated with a programmable, chip-embedded medical device, find out who the manufacturer is and what safeguards are included in its design. If your practitioners can’t provide this information, that’s a red flag—they should be as concerned with cyber protection as you are.
Also, ask your practitioner s what safeguards their facility has in place to protect against hacking. Use the list above to ensure they have adequate standards, and that they are being followed.
