The Food and Drug Administration (FDA) said in a statement that cybersecurity must be considered by companies in the design and development of medical devices that are increasingly becoming interconnected. The release of the guidance comes amid a flurry of vulnerabilities and bugs recently exposed that could cripple healthcare systems and compromise patient safety.
The FDA said manufacturers and facilities should include safeguards against cybersecurity threats—such as malware that could be introduced into medical equipment, or unauthorized access to hospital networks.
“Medical devices that contain computer hardware or software or that connect to computer networks are subject to the same types of cyber vulnerabilities as consumer devices,” said Suzanne Schwartz, M.D., M.B.A., Director of Emergency Preparedness/Operations & Medical Countermeasures (EMCM) at FDA’s Center for Devices and Radiological Health. “The consequences of medical device breaches include impairing patient safety, care, and privacy.”
The Potential for Serious Threats
The FDA noted in its statement that it is “not aware of any patient injuries or deaths associated with cybersecurity incidents, nor are we aware that any specific devices or systems in clinical use have been purposely targeted at this time.”
Yet, the vulnerabilities discovered have serious potential for harm. Some of the most serious threats to health IT systems include the Heartbleed and Shellshock bugs.
Heartbleed, an OpenSSL encryption security flaw, is implicated in a recent hospital breach where hackers exploited the flaw to steal the personal health data of some 4.5 million patients of Community Health Systems (CHS).
Shellshock, a Unix vulnerability, could be even worse. The bug could impact “a half billion web servers and other Internet-connected devices including mobile phones, routers, and medical devices, according to cybersecurity firm Trend Micro,” the Washington Post reported.
These and other vulnerabilities could be used by hackers not only to steal information, but to interfere with medical equipment and devices in a variety of ways.
Again, the FDA said it has yet to receive a report of a device or apparatus being hacked to harm a patient. But some analysts say that, given time and opportunity, dangerous events could happen unless healthcare organizations heed such warnings. Chris Petersen, CTO and co-founder of security firm LogRhythm, wrote in Forbes that,
“Research in this area has conclusively substantiated the vulnerabilities of these devices, with multiple frightening scenarios being proved out.”
In the guidance, “Content of Premarket Submissions for Management of Cybersecurity in Medical Devices - Guidance for Industry and Food and Drug Administration Staff,” some of the recommendations put forth by the FDA include:
- Limit access to devices through the authentication of users (user ID and password, smartcard, biometric), including layered authorization and multi-factor authorization.
- Strengthen password protection by avoiding “hardcoded” password or common words.
- Provide physical locks on devices and their communication ports to minimize tampering.
- Restrict software or firmware updates to authenticated code.
- Ensure capability of secure data transfer to and from the device, and use encryption methods.
- Implement features that allow for security compromises to be detected, recognized, logged, timed, and acted upon during normal use.
- Implement device features that protect critical functionality, including physical locks, even when the device’s cybersecurity has been compromised.
- Guide the end user on appropriate actions to take upon detection of a cybersecurity event.
In their premarket submissions, manufacturers should also provide the FDA with additional information regarding cybersecurity features of their devices, including:
- Hazard analysis and a traceability matrix that links all the cybersecurity risks considered in the product design with all corresponding cybersecurity controls put in place
- Plan for providing validated software updates and patches as needed throughout the lifecycle of the medical device to ensure its safety and effectiveness
- Description of cybersecurity controls to ensure integrity of the device from the point of manufacturing origin to the intended use environment (e.g. free of malware, anti-virus protection, use of firewall)
FDA Seeking Help
The FDA knows that it needs to enlist the help of relevant stakeholders in the healthcare sector in order to fight cyber attacks. The agency said recently that it’s collaborating with the National Health Information Sharing and Analysis Center to share information about threats.
The FDA is also working with the U.S. Department of Health and Human Services and the Department of Homeland Security. They are holding a public workshop to elicit suggestions from experts and the public in mid-October, which is National Cybersecurity Awareness Month.
Analysts are praising the balanced approach the FDA has taken to address cybersecurity issues—enjoining medical device makers to beef up security, without necessarily stifling product usability and innovation.
“While long overdue, this move by the FDA is to be welcomed,” Stephen Cobb, a senior security researcher at anti-malware provider ESET, told Healthcare Info Security. “Any efforts to focus attention on the security and privacy aspects of medical devices should be embraced, especially in light of the rapidly expanding adoption of consumer health devices and apps, mobile health, wearable technology and telemedicine.”
As we move into the Internet of Things era, medical devices—among many others—will be increasingly interconnected. It’s a benefit for convenience and optimized use, but also a potential hazard—since increased connectedness is also accompanied by a corresponding rise in cybersecurity threats.