June 18th, 2013

FDA Raises Concerns About the Cybersecurity of Medical Devices

The FDA has raised concerns about the vulnerability of medical devices to cyberattack. In one dramatic instance, reported by the Wall Street Journal, a VA catheterization laboratory in New Jersey was temporarily closed after malware infected the lab’s computer devices.

The FDA last week recommended that device companies and medical facilities “take steps to assure that appropriate safeguards are in place to reduce the risk of failure due to cyberattack, which could be initiated by the introduction of malware into the medical equipment or unauthorized access to configuration settings in medical devices and hospital networks.”

Many medical devices are vulnerable to cybersecurity breaches through the internet or other wireless technology or from infected flash drives. The FDA said malware could access patient data, monitoring systems, and implanted devices. Older devices may be highly vulnerable, especially if the manufacturers don’t provide timely security updates or if the devices are not updated by the medical facility or the patient with the device. In many cases the existence of the security threat has not been assessed or recognized.

The FDA said that it is “not aware of any patient injuries or deaths associated with” lapses in cybersecurity or that any “specific devices or systems in clinical use have been purposely targeted at this time.” But cardiologist William Maisel, deputy director of science and chief scientist at the FDA’s Center for Devices and Radiological Health, told the Wall Street Journal that the FDA is “aware of hundreds of medical devices that have been infected by malware… it’s not difficult to imagine how these types of events could lead to patient harm.”

The Journal story mentions a Florida VA hospital in which 104 devices were infected with the Conficker virus, including a GE Precision MPI X-ray machine, a Hologic  mammography device, and a Siemens gamma camera for nuclear medicine studies.

Another case involved a GE radiology device at Beth Israel Deaconess Medical Center in Boston that stored mammography images and patient information. After becoming infected when a GE technician connected the device to the internet, the hospital discovered “unexpected network traffic.” John Halamka, chief information officer at Beth Israel, told the Journal: “Seeing a radiology workstation sending data to an outside server is highly unusual.”

Halamka offered some additional perspective on the problem to the Washington Post:

“There’s almost no medical device that doesn’t have a network jack on the back. To fight the evils of the Internet, not only do you have to have a moat, you have to have a drawbridge, burning oil to pour on attackers, and guys with arrows.”


Comments are closed.