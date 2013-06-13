By Ransdell Pierson and Jim Finkle
June 13 The U.S. Food and Drug Administration on
Thursday urged medical device makers and medical facilities to
upgrade security protections to protect against potential cyber
threats that could compromise the devices or patient privacy.
It released that advisory in coordination with a separate
alert from the Department of Homeland Security, which disclosed
vulnerability in a wide variety of medical equipment that can
make those devices vulnerable to remote attacks from hackers.
"Over the past year, we've become increasingly aware of
cyber security vulnerabilities in incidents that have been
reported to us," William Maisel, deputy director for science at
the FDA's Center for Devices and Radiological Health, said in an
interview. "Hundreds of medical devices have been affected,
involving dozens of manufacturers," Maisel said, adding that
many were infected by malicious software, or malware.
But he said all the infections appeared to be unintentional,
largely due to malware and computer viruses that were
circulating in hospital computer networks and jumped onto the
devices.
An alert published on the government's Industrial Control
Systems Cyber Emergency Response Team website, cited research
from Billy Rios and Terry McCorkle of the cyber security firm
Cylance Inc, who said they have identified more than 300 pieces
of medical equipment that are vulnerable to cyber attack. They
include surgical and anesthesia devices, ventilators, drug
infusion pumps, patient monitors and external defibrillators.
The problem with the equipment is that it can be controlled
using default passwords that can be obtained with relative ease
by motivated hackers, Rios said in an interview. Those passwords
give their holders complete control of the devices and in some
cases can be used to gain that access remotely via the Internet,
he said.
"Somebody could take over the device and make it do whatever
they want it to do and it would be almost impossible for
hospital staff to know that it had been tampered with," Rios
said.
Rios and McCorkle are among a group of security experts who
in recent years have suggested that medical devices such as
insulin pumps and pacemakers could be vulnerable to hacking.
The FDA on Thursday said it is not aware of any patient
injuries or deaths associated with devices and hospital computer
networks that have been infected with malware and computer
viruses.
In an advisory on its website, however, the FDA said
manufacturers, hospitals and patients need to protect themselves
better from the introduction of malware in medical equipment and
unauthorized access to settings that control devices.
"Many medical devices contain configurable embedded computer
systems that can be vulnerable to cybersecurity breaches," the
agency said.
The risk of breaches has grown as devices have become
increasingly interconnected, via the Internet, hospital
networks, other medical devices and smartphones, the FDA said.
"Specifically we recommend that manufacturers review their
cybersecurity practices and policies to assure that appropriate
safeguards are in place to prevent unauthorized access or
modification to their medical devices or compromise of the
security of the hospital network that may be connected to the
device," the agency said.
Among its recommendations, the FDA said manufacturers need
to take steps to limit unauthorized device access to trusted
users only, particularly for devices that are "life sustaining"
or could be directly connected to hospital networks.
User IDs, passwords and other security controls need to be
strengthened, including potential use of biometrics, the agency
said. Moreover, manufacturers need to assure that devices
recover and continue to work once security has been compromised.
"Cybersecurity incidents are increasingly likely," the FDA
said, "and manufacturers should consider incident response plans
that address the possibility of degraded operation and efficient
restoration and recovery."
The FDA also urged health care facilities to evaluate their
network security, including restricting unauthorized access to
the network and networked devices.