Computer viruses in medical devices: who should bear the costs for combatting? FDA issues warning, takes action
Computer virus infections of medical devices continue to be a serious issue, keeping healthcare provider IT departments busy removing malware. (See our October 2012 blog post "Computer viruses on hospital medical devices: a growing concern; possible solutions"). The FDA has issued a warning regarding this threat, and is now asking, although not yet requiring, both healthcare providers and medical device manufacturers to take additional steps to heighten cybersecurity.
Via Modern Healthcare:
The Food and Drug Administration issued a notice on Thursday asking medical device manufacturers and healthcare facilities to introduce controls that would guard against cyberattacks on medical equipment and hospital networks.
Because many medical devices connect to the Internet, they are at risk of being infected with computer viruses that can affect the way they operate, putting patients' health in jeopardy. And devices and networks that are not properly secured leave them and the data they contain vulnerable to unauthorized access and use.
“Despite the fact that there has been no patient harm as the result of either inadvertent or intentional cybersecurity breaches, we understand FDA's desire to be cautious in this area,” Janet Trunzo, senior executive vice president of technology and regulatory affairs for the Advanced Medical Technology Association, said in a statement. “Our industry provides many life-saving or life-enhancing devices. So, it is important for both the manufacturers and the users of these devices to be aware of the potential for cybersecurity breaches.”
The FDA is recommending that manufacturers implement security controls such as user authentication, stronger passwords, physical locks and card readers. Other suggestions include security patches and restrictions on updates to authenticated code, as well as design approaches that maintain a device's critical functionality even in the event of an attack or breach.
Healthcare facilities, according to the FDA, should restrict unauthorized access to networks and devices, update antivirus software and firewalls, monitor network activity, and also develop strategies to maintain critical functionality when security is compromised.
The FDA is also requesting that manufacturers and healthcare personnel report cybersecurity events to MedWatch, their Safety Information and Adverse Event Reporting program, so as to identify vulnerabilities in an effort to reduce future incidents.
By Rachel Landen
“FDA warns about risk of cyberattacks on medical equipment, hospital networks,” Modern Healthcare (June 14, 2013)