FDA, DHS Warn Medical Device Makers, Hospitals on Cyber-Threats

The FDA has issued an alert on protecting medical devices from malware and cyber-threats. The Department of Homeland Security delivered a similar warning.

With malware capable of impacting hospital systems and implantable devices in danger of being hacked, the U.S. Food and Drug Administration has issued a "safety communication" to warn hospitals and medical device manufacturers about cyber-threats.

In the June 13 statement, the FDA advised manufacturers to examine the risks and hazards that affect medical devices and patient safety.

"Specifically, we recommend that manufacturers review their cyber-security practices and policies to assure that appropriate safeguards are in place to prevent unauthorized access or modification to their medical devices or compromise of the security of the hospital network that may be connected to the device," the FDA stated.

"The extent to which security controls are needed will depend on the medical device, its environment of use, the type and probability of the risks to which it is exposed, and the probable risks to patients from a security breach," the statement said.

When evaluating the security of medical devices for threats, medical device manufacturers should consider security features such as user authentication through a smart card or biometric method, limiting public access to passwords, and using physical locks, card readers and guards, the FDA advised.

For hospitals, the FDA recommended monitoring networks for unauthorized users, conducting routine and periodic evaluations as well as updating security patches and disabling all unnecessary ports and services.

No patients are known to have been harmed by any security threats to medical devices, the FDA noted.

"The FDA is not aware of any patient injuries or deaths associated with these incidents nor do we have any indication that any specific devices or systems in clinical use have been purposely targeted at this time," the FDA stated.

When cyber-security incidents occur, affected parties should file a notification through MedWatch, the FDA's Safety Information and Adverse Event Reporting program.

The FDA's notice coincided with a June 13 alert from the Department of Homeland Security's Industrial Control Systems Cyber Emergency Response Team (ICS-CERT), which warned about hard-coded passwords in medical devices.

Researchers at cyber-security company Cylance said a hard-coded password vulnerability affected roughly 300 medical devices across about 40 vendors. This vulnerability could lead to a change in critical settings or enable the modification of medical device firmware, according to the ICS-CERT report.

"ICS-CERT is currently coordinating with multiple vendors, the FDA and the security researchers to identify specific mitigations across all devices," ICS-CERT stated. "In the interim, ICS-CERT recommends that device manufacturers, health care facilities and users of these devices take proactive measures to minimize the risk of exploitation of this and other vulnerabilities."

Of health care organizations interviewed for an April 2013 study carried out by the Ponemon Institute and sponsored by Imprivata, 63 percent had suffered a data breach that required notification of federal officials, the media and affected individuals, depending on the number of those affected.

"It is imperative to keep patient information protected at all times, but hospitals need to find a way to do so while also giving clinicians access to new technologies that help them deliver the best possible care for patients," Dr. Sean Kelly, chief medical officer of Imprivata, wrote in an emailed statement to eWEEK.

The FDA's guidance was long overdue but a welcome reminder of a problem facing the health care industry, according to Mac McMillan, CEO of security firm CynergisTek and chair of the Privacy & Security Policy Task Force for the Health Information Management Systems Society (HIMSS).

"The industry has known for a while now that medical devices are an issue," McMillan told eWEEK. Vendors don't build medical devices on up-to-date software; they build devices on operating systems that can't be patched, [and] the hospitals get very little support from vendors as far as securing medical devices."

To address the problem of medical devices being compromised, medical devices need a certification standard similar to that of electronic health records (EHRs), according to McMillan. Health care providers must buy a certified EHR system to receive incentives under the federal government's meaningful-use program, he noted.

"When you build a medical device for the health care industry, it must be built on a current operating system, it must be built to a certain standard, it must be able to be patched and it must be able to have antivirus protection applied to it," McMillan said.

If medical device manufacturers have standards they are required to meet, then the problem of the devices' security being compromised could be solved, he suggested.