High-tech pre­cau­tions

FDA calls for con­trols against cy­ber­at­tacks

Modern Healthcare - - THE WEEK IN HEALTHCARE - Rachel Lan­den

With so many hos­pi­tal com­put­ers and pieces of med­i­cal equip­ment plugged into the In­ter­net, the health­care sys­tem is in­creas­ingly vul­ner­a­ble to in­trud­ers or mal­ware that could crash crit­i­cal com­po­nents or steal in­for­ma­tion.

At­tempt­ing to get ahead of that risk last week, the Food and Drug Ad­min­is­tra­tion is­sued a no­tice ask­ing de­vice­mak­ers and health­care fa­cil­i­ties to in­tro­duce con­trols that would guard against cy­ber­at­tacks.

“Ev­ery ma­chine has a com­puter, and it has the same risk that a com­puter would,” said Dr. John Halamka, chief in­for­ma­tion of­fi­cer at Beth Is­rael Dea­coness Med­i­cal Cen­ter in Bos­ton.

And be­cause “there’s a net­work jack on the back of ev­ery piece of hos­pi­tal equip­ment,” Halamka said, the ma­chines are in dan­ger of be­ing in­fected with com­puter viruses that can af­fect the way they op­er­ate. Viruses and mal­ware can bump equip­ment off­line, in­ter­rupt­ing pa­tient ser­vice, or dam­age a de­vice to the point that it needs re­place­ment. At worst, cy­ber­at­tacks on med­i­cal de­vices can po­ten­tially put pa­tients’ health in jeop­ardy.

The med­i­cal de­vice in­dus­try’s trade group says that hasn’t hap­pened yet. “De­spite the fact that there has been no pa­tient harm as the re­sult of ei­ther in­ad­ver­tent or in­ten­tional cy­ber­se­cu­rity breaches, we un­der­stand FDA’s de­sire to be cau­tious in this area,” Janet Trunzo, se­nior ex­ec­u­tive vice pres­i­dent of tech­nol­ogy and reg­u­la­tory af­fairs for the

Ad­vanced Med­i­cal Tech­nol­ogy As­so­ci­a­tion, said in a state­ment.

Though the FDA does not be­lieve that spe­cific de­vices or sys­tems have been pur­posely tar­geted, hos­pi­tals have been the vic­tims of cyber breaches brought about by in­creased con­nec­tiv­ity and a virus-plagued In­ter­net, or “swamp,” as Halamka calls it.

At Beth Is­rael, a ra­di­ol­ogy work­sta­tion be­came in­fected, putting per­sonal pa­tient data at risk as it was trans­mit­ted off the work­sta­tion and onto an ex­ter­nal server. And a fe­tal mon­i­tor for women with high-risk preg­nan­cies was also in­fected with mal­ware, slow­ing the de­vice so much that it was taken out of ser­vice.

Th­ese kinds of events are ex­actly why the FDA is­sued their guid­ance and why Halamka said this guid­ance, plus aware­ness, is es­sen­tial.

The FDA is rec­om­mend­ing that man­u­fac­tur­ers im­ple­ment se­cu­rity con­trols such as user au­then­ti­ca­tion, stronger pass­words, phys­i­cal locks and card read­ers. Other sug­ges­tions in­clude se­cu­rity patches and re­stric­tions on up­dates to au­then­ti­cated code, as well as de­sign ap­proaches that main­tain a de­vice’s crit­i­cal func­tion­al­ity even in the event of an at­tack or breach.

Health­care fa­cil­i­ties, ac­cord­ing to the FDA, should re­strict unau­tho­rized ac­cess to net­works and de­vices, up­date anti-virus soft­ware and fire­walls, mon­i­tor net­work ac­tiv­ity and also de­velop strate­gies to main­tain crit­i­cal func­tion­al­ity when se­cu­rity is com­pro­mised.

“It’s a re­ally im­por­tant re­spon­si­bil­ity for the clin­i­cal en­gi­neer­ing pro­fes­sional to take on in col­lab­o­ra­tion with IT to ad­dress th­ese risks,” said James Keller, vice pres­i­dent of health tech­nol­ogy eval­u­a­tion and safety at ECRI In­sti­tute. “A re­ally sim­ple thing that hos­pi­tals re­ally need to do is have a good un­der­stand­ing of what med­i­cal de­vices are con­nected to their net­work.”

The FDA is also re­quest­ing that man­u­fac­tur­ers and health­care per­son­nel re­port cy­ber­se­cu­rity events to Med­Watch, their Safety In­for­ma­tion and Ad­verse Event Re­port­ing pro­gram, so as to iden­tify vul­ner­a­bil­i­ties and re­duce fu­ture in­ci­dents.

Newspapers in English

Newspapers from USA

© PressReader. All rights reserved.