Home Cybersecurity FDA Issues Alert on Preventing Medical Device Hacking

FDA Issues Alert on Preventing Medical Device Hacking

Posted on August 9, 2013 by T Leave a comment

FDA Issues Alert on Preventing Medical Device Hacking

Please read the article below. Some of you may have loved ones who require medical devices such as pacemakers or insulin pumps.

  • You may want to consider a dedicated Internet connection for the wireless medical device at home.
    • A mobile hotspot card can do the trick.
    • Be sure to have a strong and long password!
  • Make sure that the device provider has practices in place to update the medical device.
  • Document everything!
    • Network activity logging devices and software can help you keep track of what is occurring on the network that your loved one’s medical device is on.
    • Product liability and wrongful death suits are a grim thing to think about but do have to be taken into consideration.

A couple of years ago, we wrote about the vulnerability of certain insulin pumps to outside hackers. Since then, many more many medical devices with embedded computer systems also seem to be vulnerable to cyber security breaches. Add to that the increasingly interconnected nature of hospital networks and smartphones, and the risk of cybers ecurity breaches affecting medical device operations is compounded.

A hacker messing with your medical device can make you sicker, or even put you at risk of death.

The FDA gets it. The agency has issued an alert recommending that medical device manufacturers and health- care facilities take steps to assure that appropriate safeguards are in place to reduce the risk of failure due to cyberattack. Such attacks can result from malware sent directly to the medical equipment or by unauthorized access to configuration settings in medical devices and hospital networks.

At this point, the alert is strictly a warning—the FDA is not aware of any patient injuries or deaths associated with hacking, nor does it have any indication that any specific devices or systems in clinical use have been purposely targeted.

So this is a heads-up announcement for manufacturers, hospitals, medical device user facilities, health-care IT professionals and biomedical engineers to make medical devices secure, and keep those protections up to date.

For manufacturers, the FDA recommends:

  • Taking steps to limit unauthorized device access to trusted users, particularly for devices that are life-sustaining or could be directly connected to hospital networks. Such security controls can include: user authentication via password, smartcard or biometric; strengthening password protection; limiting public access to passwords used for technical device access; physical locks; card readers; and guards.
  • Protecting individual components from exploitation and developing strategies for active security protection such as timely deployment of routine, validated security patches and methods to restrict software updates to authenticated code.
  • Designs that maintain a device’s critical functionality, even when security has been compromised, known as “fail-safe modes.”
  • Providing methods for retention and recovery after security has been compromised.

For health-care facilities, the FDA recommends:

  • Restricting unauthorized access to the network and networked medical devices.
  • Ensuring that antivirus software and firewalls are up-to-date.
  • Monitoring network activity for unauthorized use.
  • Protecting individual network components through routine and periodic evaluation, including updating security patches and disabling all unnecessary ports and services.
  • Contacting the specific device manufacturer if you think you have a cyber security problem related to a medical device.
  • Developing and evaluating strategies to maintain critical functionality during adverse conditions.

If you or a loved one is being treated with a programmable, chip-embedded medical device, find out who the manufacturer is and what safeguards are included in its design.

If your practitioners can’t provide this information, that’s a red flag—they should be as concerned with cyber protection as you are.

Also, ask your practitioner s what safeguards their facility has in place to protect against hacking.

Use the list above to ensure they have adequate standards, and that they are being followed.

Related articles
Tagged with: , , , , , , , ,
Posted in Cybersecurity

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s

%d bloggers like this: