FDA calls for controls against cyberattacks
With so many hospital computers and pieces of medical equipment plugged into the Internet, the healthcare system is increasingly vulnerable to intruders or malware that could crash critical components or steal information.
Attempting to get ahead of that risk last week, the Food and Drug Administration issued a notice asking devicemakers and healthcare facilities to introduce controls that would guard against cyberattacks.
“Every machine has a computer, and it has the same risk that a computer would,” said Dr. John Halamka, chief information officer at Beth Israel Deaconess Medical Center in Boston.
And because “there’s a network jack on the back of every piece of hospital equipment,” Halamka said, the machines are in danger of being infected with computer viruses that can affect the way they operate. Viruses and malware can bump equipment offline, interrupting patient service, or damage a device to the point that it needs replacement. At worst, cyberattacks on medical devices can potentially put patients’ health in jeopardy.
The medical device industry’s trade group says that hasn’t happened yet. “Despite the fact that there has been no patient harm as the result of either inadvertent or intentional cybersecurity breaches, we understand FDA’s desire to be cautious in this area,” Janet Trunzo, senior executive vice president of technology and regulatory affairs for the
Advanced Medical Technology Association, said in a statement.
Though the FDA does not believe that specific devices or systems have been purposely targeted, hospitals have been the victims of cyber breaches brought about by increased connectivity and a virus-plagued Internet, or “swamp,” as Halamka calls it.
At Beth Israel, a radiology workstation became infected, putting personal patient data at risk as it was transmitted off the workstation and onto an external server. And a fetal monitor for women with high-risk pregnancies was also infected with malware, slowing the device so much that it was taken out of service.
These kinds of events are exactly why the FDA issued their guidance and why Halamka said this guidance, plus awareness, is essential.
The FDA is recommending that manufacturers implement security controls such as user authentication, stronger passwords, physical locks and card readers. Other suggestions include security patches and restrictions on updates to authenticated code, as well as design approaches that maintain a device’s critical functionality even in the event of an attack or breach.
Healthcare facilities, according to the FDA, should restrict unauthorized access to networks and devices, update anti-virus software and firewalls, monitor network activity and also develop strategies to maintain critical functionality when security is compromised.
“It’s a really important responsibility for the clinical engineering professional to take on in collaboration with IT to address these risks,” said James Keller, vice president of health technology evaluation and safety at ECRI Institute. “A really simple thing that hospitals really need to do is have a good understanding of what medical devices are connected to their network.”
The FDA is also requesting that manufacturers and healthcare personnel report cybersecurity events to MedWatch, their Safety Information and Adverse Event Reporting program, so as to identify vulnerabilities and reduce future incidents.