The FDA is Taking Notice of Medical Device Cybersecurity
The FDA just issued a Safety Communication on cybersecurity vulnerabilities of the Hospira Symbiq Infusion System. The Hospira Symbiq Infusion System is a computerized pump designed for the continuous delivery of general infusion therapy for a broad patient population. The pump is mostly used in hospitals, or other acute and non-acute health care facilities, such as nursing homes and outpatient care centers. This infusion system can communicate with a Hospital Information System (HIS) via a wired or wireless connection over facility network infrastructures.
Unfortunately, it appears that it’s possible to access this pump remotely through a network, allowing unauthorized users to control the pump and change the dosage it delivers. This can potentially harm the patient. While it doesn’t appear that any unauthorized access occurred with this particular product, and Hospira is no longer selling this product, cybersecurity is still a real concern. It will be critical for manufacturers to implement appropriate safeguards now that more and more devices are connecting remotely to healthcare networks.
In June 2013, the FDA outlined good practices to follow in Cybersecurity for Medical Devices and Hospital Networks. In this communication, the FDA recommends that medical device manufacturers and health care facilities take steps to assure that appropriate safeguards are in place to reduce the risk of failure due to cyberattack. These attacks could be initiated by the introduction of malware into the medical equipment or unauthorized access to configuration settings in medical devices and hospital networks.
As products rely more heavily on networked communication, medical device cybersecurity is going to become an even greater concern. The FDA has already become aware of the following breaches:
- Network-connected/configured medical devices infected or disabled by malware;
- The presence of malware on hospital computers, smartphones and tablets, targeting mobile devices using wireless technology to access patient data, monitoring systems, and implanted patient devices;
- Uncontrolled distribution of passwords, disabled passwords, hard-coded passwords for software intended for privileged device access (e.g., to administrative, technical, and maintenance personnel);
- Failure to provide timely security software updates and patches to medical devices and networks and to address related vulnerabilities in older medical device models (legacy devices);
- Security vulnerabilities in off-the-shelf software designed to prevent unauthorized device or network access, such as plain-text or no authentication, hard-coded passwords, documented service accounts in service manuals, and poor coding/SQL injection.
How Cybersecurity plays a vital role in Medical Devices
A variety of safe, convenient, and cost-effective implantable or wearable devices are being used at clinics, hospitals, and homes to monitor the vitals of patients.
For example, patients with heart implants can be remotely monitored, and automated insulin pumps administer the correct dosage of insulin to diabetes patients.
Cybersecurity protects the software used in these tools that communicate over wireless or wired connections using the internet.
The Healthcare industry is one of the hottest targets for cybercriminals as they attempt to steal confidential healthcare data. It can put the health and lives of millions of patients at risk if the information technologies used in medical devices and tools are not safe.
Cybersecurity helps in maintaining routine regulations to fend off the cybercriminals and safeguard the systems against new risks and vulnerabilities.
Legacy medical devices were not originally designed, keeping cybersecurity in mind. So, when such devices are used in connected environments, they pose a great risk as they are not secure against cyber threats. These devices include imaging and dispensing systems, infusion pumps, ECG, and patient monitoring systems.
All these devices use the internet for communication. Cybersecurity helps in safeguarding the data moving across these tools and devices.
Cybercriminals use the simplest tools like email and malware to sabotage medical systems and compromise important and sensitive medical data. A variety of medical devices are connected to the hospital networks, and if these hospital networks are vulnerable, all the diagnostic equipment is at risk.
Cybersecurity safeguards all equipment against the vulnerabilities and threats.
Medical devices are extremely vulnerable to direct attacks, and they can expose the entire hospital network to these cyber threats.
Cybercriminals can breach data, steal sensitive information, cancel thousands of appointments or divert ambulances from specific hospitals to others, creating chaos, unrest, and putting lives of hundreds of patients at risk.
Cybersecurity safeguards medical tools, technology, and data at all levels from all kinds of security risks.
Despite the best protective measures out there, data breaches cost the healthcare industry about $5.6 billion every year. Such attacks in recent times have affected more than 29 million patient records.
As strategies of hackers are evolving and data breaches are becoming complex and difficult to contain and mitigate, Cybersecurity becomes something of vital importance to safeguard the health care data as well as the lives of these patients.