The FDA is urging medical device makers and health care facilities to make sure there are proper safeguards in place to protect their medical devices from cyber threats.

The FDA (Food and Drug Administration) said on Thursday that its warning is directed specifically at biomedical engineers, health care IT and procurements staff, medical device user facilities, hospitals and medical device manufacturers.

A cyber attack may be caused when *malware is introduced into medical equipment, as well as unauthorized people gaining access to configuration settings in hospital networks and equipment.

*Malware is software that is created to disable or damage computers and computer systems, i.e. malicious software.

Most medical devices today contain embedded computer systems that are configurable, meaning they can be altered or tweaked, making them vulnerable to cyber-security breaches.

The threat has become more serious over the last fifteen years as a growing number of medical devices are interconnected through hospital networks, the Internet, smartphones and other medical devices. Every new type of connection increases their vulnerability to malicious attacks.

The FDA says that it has become aware of the following cyber-security vulnerabilities and incidents regarding hospital network operations and medical devices:

  • Medical devices that are configured and/or connected to a network being disabled by malware
  • Malware penetrating hospital smartphones, tablets, other mobile devices that use Wi-Fi technology to access patient information, implanted patient devices, and hospital computers
  • Lack of proper security regarding passwords, disabled passwords, and hard-coded passwords for software intended for selected personnel such as maintenance, technical or administrative staff
  • Not regularly updating medical device and network software
  • Not addressing vulnerabilities in legacy devices (older medical devices)
  • Security weaknesses in off-the-shelf software which is supposed to prevent unauthorized network or device access, such as hard-coded passwords, plain-text or no authentication, poor coding/SQL infection, and documented service accounts in service manuals

So far, the FDA has received no reports of specific systems or devices in clinical use being deliberately targeted, neither is it aware of any patient injuries or deaths caused by these incidents.

According to the FDA, American health and other authorities, medical device and software companies have been liaising closely to minimize the risk of cyber attacks.

A high percentage of medical devices contain configurable embedded computer systems that are potential targets for cyber threats. Recommendations for device manufacturers

It is the responsibility of medical device manufacturers to be on the lookout for potential risks and hazards related to their products, including cyber-security risks. They are also responsible for making sure appropriate mitigations are in place to guarantee patient safety and to make sure the device performs properly.

Medical device manufacturers must make sure that unauthorized access to their products does is not possible. The FDA wrote in an online communiqué “Specifically, we recommend that manufacturers review their cyber-security practices and policies to assure that appropriate safeguards are in place to prevent unauthorized access or modification to their medical devices or compromise of the security of the hospital network that may be connected to the device. The extent to which security controls are needed will depend on the medical device, its environment of use, the type and probability of the risks to which it is exposed, and the probable risks to patients from a security breach.”

When the device is being evaluated, the following should be considered:

  • Steps must be taken to make sure only trusted users have access to the device and nobody else, especially devices which keep patients alive or could be connected directly to hospital networks.
  • Take steps to protect each component from exploitation. Develop strategies for active security protection that are suitable and practicable for the device’s use environment. These strategies must include timely deployment of routine, validated security patches, and systems that require an authenticated code for software and firmware updates.
  • A medical device’s critical functionality is a top priority, make sure design approaches bear that in mind. Even if the device has been compromised, fail-safe modes should be included to maintain that critical functionality.
  • There should be methods for retention and recovery after an incident that affects security. “Cybersecurity incidents are increasingly likely and manufacturers should consider incident response plans that address the possibility of degraded operation and efficient restoration and recovery.”

Recommendations for hospitals and other health care facilities

Health care facilities need to take steps to evaluate their network security and protect their hospital systems. The following should be considered when evaluating network security:

  • Access to networked medical devices and networks in general should be restricted to authorized personnel and nobody else.
  • Firewalls and antivirus software should be updated regularly.
  • Network activity should be constantly monitored for unauthorized use.
  • Individual network components need to be evaluated periodically as a matter of routine. This includes updating security patches and disabling all unnecessary ports and services.
  • If a hospital or health care facility has or suspects there is a cyber-security problem with a medical device, the manufacturer should be contacted immediately. The FDA and DHA ICS-CERT might be able to help in vulnerability reporting and resolution if it is not possible to determine who the manufacturer is, or if the manufacturer cannot be contacted.
  • During adverse conditions it is important that equipment maintains critical functionality. Health care facilities need to develop and evaluate contingency strategies.

The FDA says it has released a draft guidance on how medical device manufacturers should address cyber-security when submitting their products for approval (pre-market). It also has guidance on how manufacturers should deal with cyber-security issues regarding devices that use off-the-shelf software.

In order to better understand the risk related to medical devices, the FDA is urging device users and makers to report any adverse events promptly to the Agency. “If you suspect that a cybersecurity event has impacted the performance of a medical device or has impacted a hospital network system, we encourage you to file a voluntary report through MedWatch, the FDA Safety Information and Adverse Event Reporting program.”

Health care personnel should follow the reporting procedures laid down by their facilities. Medical device makers must comply with the MDR (Medical Device Reporting) regulations.

When reporting a cyber-security problem/incident with a specific device, the FDA asks that the following information be included in the report (if available):

  • Who is your point of contact should more details regarding the incident/event be required?
  • When was the cyber-security problem first discovered?
  • How was the problem first discovered?
  • Which model numbers and firmware versions are affected?
  • How many medical devices are/were affected?
  • Has the functionality of the device been compromised? If so, how did this occur (was it exploited via local access or remotely)?
  • What is the observed abnormal behavior of the medical device? What are the potential consequences?

Researchers from the University of Michigan, University of South Carolina, Korea Advanced Institute of Science and Technology, University of Minnesota, University of Massachusetts and Harvard Medical School reported in May 2013 that sensors used in implanted cardiac defibrillators and pacemakers are vulnerable to tampering.

The team showed that they could forge an erratic heartbeat with radio frequency electromagnetic waves. In theory, a false signal like the one they created might stop the pacemaker from working properly, and could also induce unnecessary defibrillation shocks.

Prof. Wenyuan Xu, from the University of South Carolina, said “Security is often an arms race with adversaries. As researchers, it’s our responsibility to always challenge the common practice and find defenses for vulnerabilities that could be exploited before unfortunate incidents happen. We hope our research findings can help to enhance the security of sensing systems that will emerge for years to come.”

Written by Christian Nordqvist