FDA Warns of Cyber Threats to Networked Medical Devices
The U.S. Food and Drug Administration is concerned that networked medical devices may provide potential cybersecurity vulnerabilities allowing hackers access to hospital networks and putting protected health information and patient safety at risk.
Networked medical devices “introduce new risks related to potential cybersecurity threats” including the introduction of malware into medical equipment and unauthorized access to configuration settings on devices and hospital networks, according to Suzanne Schwartz, director of emergency preparedness/operations and medical countermeasures for the FDA’s Center for Devices and Radiological Health.
Schwartz told an audience on Nov. 9 at the HIMSS Connected Health Conference in Washington, D.C., that medical device cybersecurity is integral to the FDA mission that devices meet the threshold of reasonable assurance of safety and effectiveness, and that providers need to understand what they are purchasing and deploying.
Medical device manufacturers provide Manufacturer Disclosure Statement for Medical Device Security forms to assist providers in assessing the vulnerability and risks associated with electronic PHI that is transmitted or maintained by a medical device. However, Schwartz argued that medical device manufacturers must design and develop devices that are “securable throughout the product lifecycle” and that they must be “mindful that there is an active adversary and that the device will need to be updated on a continuum so that it can be secure.”
Nonetheless, the FDA in late July alerted users of a computerized infusion pump—which communicates with hospital information systems via a wired or wireless connection over facility network infrastructures—that has serious cybersecurity vulnerabilities that could put patient safety at risk. The agency advised healthcare facilities to disconnect the pumps from their networks to reduce the risk of unauthorized system access.
“We recognize that device vulnerabilities may be that point of entry, that vector for access to the greater network, even while the device may remain unaffected—and that can put PHI and PII data at risk,” said Schwartz.
Because of these and other potential risks from networked medical devices, the Department of Health and Human Services Office of the Inspector General announced that it will conduct an audit looking at whether FDA’s oversight of hospital networked medical devices is sufficient to effectively protect associated electronic protected health information and ensure beneficiary safety.
“Computerized medical devices, such as dialysis machines, radiology systems, and medication dispensing systems that are integrated with electronic medical records and the larger health network, pose a growing threat to the security and privacy of personal health information,” states the OIG’s fiscal year 2016 work plan. “Such medical devices use hardware, software, and networks to monitor a patient’s medical status and transmit and receive related data using wired or wireless communications.”
In September, the Federal Bureau of Investigation issued an alert warning about the cybersecurity risks that networked medical devices pose to patients. According to the FBI, Internet of Things (IoT) devices—which connect to the Web automatically sending and/or receiving data—include medical devices such as wireless heart monitors and insulin dispensers.
One of the potential threats to unprotected IoT devices that the FBI warned the public about involved scenarios in which hackers might change coding that controls the dispensing of medicines or health data collection.