Concerns Over Cybersecurity in Medical Devices Should Lead to Information Sharing, Officials Say

In the wake of increasing concerns over medical device cybersecurity, the FDA is calling on healthcare organizations and medical device manufacturers to share more information concerning potential vulnerabilities. 

The U.S. Food and Drug Administration (FDA) held a two day workshop on cybersecurity issues in Arlington, Virginia this week. The FDA oversees the approval of medical devices, and additional steps are being taken to protect against potential hacking that could cause patients to be injured or killed in a cyberattacks.

During the conference, FDA officials said the majority of medical devices have little or no protections against hacking and called on healthcare providers and manufacturers to share information to help make vulnerable medical devices less susceptible to cyberattacks.

Jason Lay, manager of cyberthreat information for the Department of Health and Human Services, called the possibility of hacks to medical devices a “very real possibility.” He said hackers could potentially tamper with medical devices and use them to gain access to healthcare organizations’ electronic health record systems.

The conference was prompted by the recent concerns regarding the cybersecurity of medical devices, such as infusion pumps, insulin pumps and heart devices.

Homeland Security Investigation

The U.S. Department of Homeland Security (DHS) is investigating at least two dozen cases of suspected cybersecurity flaws in medical devices and hospital equipment. While no actual incidents have taken place, there are concerns that those vulnerabilities could be exploited.

Some of the devices include Hospira infusion pumps and Medtronic implantable heart devices.

Other hospital equipment is connected to healthcare data systems and electronic health records. Security officials said these devices could also become a major target of hackers.

Critics say device manufacturers and healthcare provider groups are aware of the vulnerabilities, which may allow hackers to access the devices, yet they do not appear to be focusing sufficient efforts on repairing the potential flaws.

The FDA is calling on device manufacturers and healthcare provider groups to share information about cybersecurity vulnerabilities in the devices and specific ways to address them to prevent serious repercussions.

A demonstration conducted at the RSA security conference in San Francisco in 2012 revealed how easy it would be for hackers to access medical devices, such as insulin pumps, triggering the devices to provie patients with extra doses that may cause a lethal reaction. The demonstration revealed hackers could access the devices from 300 feet away.

Earlier this month, the FDA issued final guidance on cybersecurity for medical devices, which calls on manufacturers to handle cybersecurity concerns surrounding new technology used in medical devices to avoid further problems.

The FDA also urged manufacturers to consider potential hacks during the initial design of medical devices and is asking them to inform the agency of potential risks and how to handle them.