Americans are well aware of the ever growing potential of a cyber attack on our credit cards, bank and email accounts, even our social media outlets. But cyber attacks on medical devices? Is this a real threat?
The FDA recently urged those in the medical device industry, specifically biomedical engineers, heath care IT staff, medical device user facilities, hospitals and manufactures, to ensure proper safeguards in place to protect devices against a cyber attack. A medical device can be attacked if malware, or software created to disable or damage computers, is introduced into medical equipment. A threat could also come from unauthorized people gaining access to hospital networks and equipment.
Even thought the threat of cyber attack on medical devices has increased over the last 15 years with the increase of devices interconnected through the internet, smartphones applications, and hospital networks, the FDA has not received reports of specific devices being deliberately targeted. The Department of Veterans Affairs, who has been tracking medical device infections since 2009, reports that there have been 327 cyber threatening incidents, in which none resulted in patient harm.
The FDA places responsibility on the manufacturers to be a step ahead of cyber threats and identify potential risks and hazards as well as ensuring mitigations are in place to guarantee patient safety and device effectiveness. Some companies have attempted to be proactive, but hesitate to market their devices as secure. According to Mike Ahmadi, a consultant medical device security expert, doing so may invite those looking for a challenge, as advertising security can become a matter of liability.
The draft guidance was issued by the FDA on June 14, 2013, with hopes of finalizing by the end of the year. The general principal of the guidance is to encourage manufacturers to develop a set of controls to assure security to maintain information confidentiality, integrity, and availability. FDA suggests the following implementations:
- Fail-safe device features that protect the device’s critical functionality
- Features that allow for security compromises to be recognized, logged, and acted upon
- Methods for retention and recovery of device configuration by an authenticated system administrator
Do you consider medical devices vulnerable to cyber threats? Does your company have procedures or security systems in place to safe guard devices against cyber attacks?
Photo Credit: Nick Reynolds