FDA warns of cyberattacks on medical devices, hospital networks

June 13, 2013 – The U.S. Food and Drug Administration (FDA) issued a cybersecuritynotice for medical devices and hospital networks recommending that medical device manufacturers and health care facilities take steps to assure safeguards are in place to reduce the risk of cyberattacks.

According to the FDA, these attacks could be initiated by the introduction of malware into the medical equipment or unauthorized access to configuration settings in medical devices and hospital networks. There are current reports that computer viruses and other malware are infecting equipment, such as hospital computers used to view X-rays and CT scans as well as devices in cardiac catheterization labs. Medical devices contain configurable embedded computer systems that can be vulnerable to cybersecurity breaches. The risk is heightened by the fact that medical devices are increasingly interconnected, via the Internet, hospital networks, other medical devices, and smartphones.

 

The notice recommends that health care facilities evaluate their network security and protect their hospital system.  These steps may include:

• Restricting unauthorized access to the network and networked medical devices.

• Monitoring network activity for unauthorized use.

• Protecting individual network components through routine and periodic evaluation, including updating security patches and disabling all unnecessary ports and services.

• Contacting the specific device manufacturer if you think you may have a cybersecurity problem related to a medical device. If you are unable to determine the manufacturer or cannot contact the manufacturer, the FDA and DHS ICS-CERT may be able to assist in vulnerability reporting and resolution.

• Developing and evaluating strategies to maintain critical functionality during adverse conditions.

 

The FDA expects medical device manufacturers to take appropriate steps to limit the opportunities for unauthorized access to medical devices and review their policies to prevent unauthorized access or modification to their medical devices or compromise of the security of the hospital network that may be connected to the device.

 

For more information: www.fda.gov and www.appliedradiology.com