Medical devices and hospitals systems a still very vulnerable to cyber-attacks, FDA warns.
New e-health and m-health devices, apps and software come on to the market in the United States every day. And every piece of hardware or software, all internal networks, collaborative tools for hospitals, all electronic equipment, both connected and non-connected devices are a potential target for cyber attacks. Last week, the US Food and Drug Administration (FDA) published a warning, urging the healthcare industry to make sure there are proper safeguards in place to protect their medical devices from cyber threats. The agency sees electronic medical devices and health care facility networks as especially vulnerable to this type of attack. This warning reiterates the conclusions of other studies and investigations, such as the one conducted by the Washington Post on which we reported in an earlier article. The FDA, which has traditionally been responsible for assessing the security aspects of health equipment, is gradually redefining its role in order to additionally provide a better guarantee of data privacy and of the ‘cyber security’ of devices and equipment.
Cyberattacks threaten patients and physicians
Electronic devices connected to the Internet are at extremely high risk, reckons the FDA. The risks range from data theft, often due to lack of proper security on passwords, computer viruses and problems with updates of defective software, to computer or medical equipment malfunction. There is no shortage of actual examples. The consequences are manifold and may threaten patients’ health. In April 2010, a routine update carried out by cyber-security provider McAfee wrongly identified a Windows file as a virus, which led to the shutdown of 8,000computers at the University hospital in AnnArbor, Michigan and some 2,500 at the University hospital at Syracuse in upstate New York. As a result of the error, a third of the hospitals on Rhode Island were forced to stop treating some of their patients and had to postpone surgical operations. Nevertheless they continued to accept emergency cases and deal with them as a priority. The FDA has stated that it is not aware of any patient injuries or deaths so far caused by a cyber attack.
Designing risk prevention into devices
The FDA backed up its public warning by publishing a list of concrete recommendations for device manufacturers. This document is a first step. It brings together recommendations from the FDA and other government agencies, including the US Department of Human Services, the Center for Devices and Radiological Health, the Office of Device Evaluation, and others, to help manufacturers build medical devices which are better protected against cyber attacks. The document highlights the need to deal with these issues at the design stage, underlining that this is a determining factor in risk identification and reduction. The recommendations focus on strengthening user authentication processes, automated session closing, robust controls prior to updates and the establishment of formal recovery procedures and data backup.