The U.S. Food and Drug Administration, citing potential cyber threats to medical devices, on Thursday urged medical device makers, hospitals and other medical facilities to upgrade their protections against attacks that could disable the devices or compromise patient privacy.
In recent years security experts have suggested that devices such as insulin pumps or pace-makers could be vulnerable to hacking, although the agency said it is not aware of any patient injuries or deaths associated with such attacks.
The FDA issued an advisory that manufacturers, hospitals and patients need to protect themselves better from the introduction of malware in medical equipment and unauthorized access to settings that control devices.
“Many medical devices contain configurable embedded computer systems that can be vulnerable to cyber security breaches,” said the safety communication posted on FDA’s website.
The potential risk of cyber security breaches is worsened by the ways that devices are increasingly interconnected, via the Internet, hospital networks, other medical devices and smartphones, the FDA said.
“Specifically we recommend that manufacturers review their cyber security practices and policies to assure that appropriate safeguards are in place to prevent unauthorized access or modification to their medical devices or compromise of the security of the hospital network that may be connected to the device,” the agency said.
Among its recommendations, the FDA said manufacturers need to take steps to limit unauthorized device access to trusted users only, particularly for devices that are “life sustaining” or could be directly connected to hospital networks.
User IDs, passwords and other security controls need to be strengthened, including potential use of biometrics, the agency said. Moreover, manufacturers need to assure that devices recover and continue to work once security has been compromised.
“Cyber security incidents are increasingly likely,” the FDA said, “and manufacturers should consider incident response plans that address the possibility of degraded operation and efficient restoration and recovery.”
The FDA also urged health care facilities to evaluate their network security, including restricting unauthorized access to the network and networked devices.