FDA calls on manufacturers, hospitals to better protect medical devices

Share this article:
FDA calls on manufacturers, hospitals to better protect medical devices
FDA calls on manufacturers, hospitals to better protect medical devices

The U.S. Food and Drug Administration on Thursday warned medical professionals to implement practices that will safeguard computer-embedded health care devices from attack.

"Many medical devices contain configurable embedded computer systems that can be vulnerable to cyber security breaches," the advisory said. "In addition, as medical devices are increasingly interconnected, via the internet, hospital networks, other medical [devices] and smartphones, there is an increased risk of cyber security breaches, which could affect how a medical device operates."

The FDA recommended that device manufacturers "take appropriate steps to limit the opportunities for unauthorized access" to these endpoints. This includes evaluating their security practices and policies, and deploying designs, strategies and methods to both prevent against attack and respond in the event of a breach.

Meanwhile, health care entities must ensure their networks are built to repel unauthorized access and attacks by monitoring for anomalous behavior, patching regularly and conferring with device makers.

The FDA also noted that manufacturers are required under Medical Device Reporting requirements to alert the agency of any security issues associated with their products. Health care staff can voluntarily report security "events" related to a medical device through the MedWatch program

The agency said it was not aware of any real-life attacks that have targeted these devices, nor any patient injuries or deaths associated with a compromise.

The government warning should come as no surprise to the security research community, whom for several years has showcased how these devices are susceptible to malicious attack.

For example, at the 2011 Black Hat conference in Las Vegas, researcher and Type 1 diabetic Jay Radcliffe demonstrated how he is able to send commands to wirelessly disable (within about 150 feet) the insulin pump he has been wearing since he was 22.

And as early as 2008, studies have shown how pacemakers could be manipulated by remote attackers.

Share this article:

Sign up to our newsletters

More in News

Brazilian president signs internet 'Bill of Rights' into law

Brazilian president signs internet 'Bill of Rights' into ...

President Dilma Rousseff signed the legislation on Wednesday at the NetMundial conference in Sao Paulo.

Android trojan sends premium SMS messages, targets U.S. users for first time

Android trojan sends premium SMS messages, targets U.S. ...

An SMS trojan for Android, known as FakeInst, has been observed sending premium SMS messages to users all over the world, including, for the first time, the United States.

Report: DDoS up in Q4 2013, vulnerability scanners leveraged to exploit sites

Report: DDoS up in Q4 2013, vulnerability scanners ...

Researchers observed 346 DDoS attacks in the final quarter of 2013 and attackers used Vega and Skipfish vulnerability scanners to exploit web flaws at financial companies.