FDA Releases Guidance for Medical Device Cybersecurity | eWeek

Medical Device Security Guidance Released by FDA as Threats Multiply

Health care cyber-security
Jan 4, 2017
3 minute read
eWeek Inhalte und Produktempfehlungen sind redaktionell unabhängig. Wir können Geld verdienen, wenn Sie auf Links zu unseren Partnern klicken. Mehr erfahren

2016 was not a good year for health care cyber security, with a 63 percent year-over-year increase in major attacks, according to security firm TrapX. The situation has not escaped the notice of the U.S Government, with the Food and Drug Administration(FDA) issuing a 30-page report on Cyber-security in Medical Devices, on Dec. 28, 2016.

“Protecting medical devices from ever-shifting cyber-security threats requires an all-out lifecycle approach that begins with early product development and extends throughout the product’s lifespan,” Suzanne Schwartz, FDA associate director for science and strategic partnerships, wrote in a blog post.

Among the core elements of the FDA guidance for medical device security is understanding the risks and potential vulnerabilities of devices. Additionally the FDA recommends that organizations have a process in place to work with security researchers to receive and act on information related to potential vulnerabilities. The FDA also suggests that organizations deploy software patches quickly, before they can be exploited.

Moshe Ben-Simon, co-founder and vice president of services at TrapX has a mixed outlook on the FDA guidance and how it can help to improve security in the health care market.

“As guidance it takes the industry in the right direction,” Ben-Simon told eWEEK. “The challenge is that the existing installed base of medical devices and the infrastructure that support them cannot be remediated in a period measured in other than years.”

The scope of the medical device cyber-security challenge is large, with approximately 6,500 medical device manufacturers and perhaps millions of medical devices within the installed base. Ben-Simon commented that many medical devices are installed on a long projected financial and operating life, but the manufacturers don’t plan on ever upgrading the internal embedded processors and making major structural changes to the devices.

“In contrast, the hospitals cannot afford to end-of-life these older devices. They want the manufacturer to offer a no or low cost upgrade so they can be more cyber resilient,” Ben-Simon said. “To complicate matters, beyond the purview of the FDA, the basic weakness in the networks that host the medical devices is perhaps worse and definitely part of the problem.”

In June 2016, TrapX released a report on an attack against medical devices dubbed ‘MEDJACK 2’. In this attack, hackers scan networks looking for potentially vulnerable medical device in an attempt to deploy various forms of malware and ransomware.

Ben-Simon noted that the FDA guidance for medical device cyber-security could potentially help to prevent MEDJACK attacks in the long term.

“The challenge is that without mandatory compliance, neither the medical device manufacturers nor the hospitals can afford to invest in upgrading the massive installed base of devices,” Ben-Simon said.

Ben-Simon noted that MEDJACK can only be detected when attackers move laterally from the infected medical devices across a network and most hospitals do not have the technology to identify attacker safe havens. In the meantime, Ben-Simon said that TrapX continues detect MEDJACK in just about every health care institution in which it has close involvement.

Overall 2016 was a challenging year for security in the medical community. TrapX’s 2016 health care Cyber Breach Research Report found a 63 percent year-over-year increase in attacks against health care institutions in the U.S.

“The rapid emergence of ransomware nationally happened at a faster pace than anyone expected within health care,” Ben-Simon said.

There were attacks against health care organizations in 2015 as well, including large breaches at Anthem, Premera and Excellus Blue Cross/Blue Shield. Ben-Simon noted that in 2015 a few massive institutions were impacted by the theft of over 100 million health care records.

“The 2016 research and analysis was a big wake up in that it shows a broadening of attacks from the largest institutions to a broad mid-section,” Ben-Simon said. “This broad mid-section includes not only hospitals, but large physician practices, cancer treatment centers, urology center, MRI/CT scan centers, surgical centers, skilled nursing facilities (SNFs) and diagnostic laboratories.”

“Attackers are exploiting their market opportunity quickly, finding the weakest points on which to land and expand, and they are reaching out to do so using new tools like ransomware to improve their return on investment,” he said.

Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.

eWeek Logo

eWeek has the latest technology news and analysis, buying guides, and product reviews for IT professionals and technology buyers. The site's focus is on innovative solutions and covering in-depth technical content. eWeek stays on the cutting edge of technology news and IT trends through interviews and expert analysis. Gain insight from top innovators and thought leaders in the fields of IT, business, enterprise software, startups, and more.

Eigentum von TechnologyAdvice. © 2026 TechnologyAdvice. Alle Rechte vorbehalten

Werbetreibenden-Offenlegung: Einige der auf dieser Website erscheinenden Produkte stammen von Unternehmen, von denen TechnologyAdvice eine Vergütung erhält. Diese Vergütung kann beeinflussen, wie und wo Produkte auf dieser Website erscheinen, einschließlich beispielsweise der Reihenfolge, in der sie erscheinen. TechnologyAdvice schließt nicht alle Unternehmen oder alle auf dem Marktplatz verfügbaren Produkttypen ein.