FDA Announces New Efforts To Strengthen Medical Device Cybersecurity

Federal health officials have teamed up with IT experts to build a framework for device manufactures and healthcare organizations to identify and defend against cybersecurity risks that could allow data breaches and loss of control over medical devices. 

On October 1, FDA Administrator Scott Gottlieb announced a collaborative effort with MITRE Corporation to develop a medical device cybersecurity playbook, which is designed to prepare health care delivery organizations for malicious attacks that could gain control over medical devices used to treat patients.

Cybersecurity threats in the medical field have been a growing concern over the last few years, as vulnerabilities to healthcare organizations’ record systems and medical devices have surfaced.

Since 2014, the U.S. Department of Homeland Security (DHS) has been actively investigating at least two dozen cases of suspected cybersecurity flaws in medical devices and hospital equipment. According to DHS, if preventative actions to strengthen the medical field’s cybersecurity issues are not taken, hackers could exploit these vulnerabilities and put patients in serious risk.

The FDA has been working on a framework for cybersecurity threats across the medical field since 2013, and the need for additional protection has only become more of a necessity with the increased number of incidents. In 2015 alone, the healthcare industry had more data breaches than in the previous six years combined, compromising more than 113 million medical records.

Although the FDA is not aware of any successful incidents where a medical device was hacked and altered while being used on a patient, the capability for the hack is present according to a demonstration at this year’s annual Defcon hacker convention in Las Vegas, Nevada.

Hackers showed they were able to exploit weaknesses in medical field software and acquire access and control of medical devices. The presentation showed how a hacker was able to gain access to a test-device and altered the vital readings, simulating a patient’s heartbeat had flat lined.

Previous medical device hacking demonstrations have dated back to 2012, when researchers at a RSA security conference in San Francisco in 2012, were able to hack medical devices such as insulin pumps from up to 300 feet away. The demonstration further showed how hackers could remotely take control of the insulin devices, allowing them to deliver lethal doses of insulin to patients without any notification.

The newly released playbook outlines how hospitals and other healthcare delivery organizations can develop a cybersecurity preparedness and response framework. The framework calls for a full device inventory and the development of a medical device cybersecurity information center and training sessions so staff are knowledgeable and can respond to an incident quickly and effectively.

The FDA has also developed their own internal playbook to assist in addressing large scale cybersecurity threats, vulnerabilities and incidents. Gottlieb said the playbook establishes a clear and effective plan to help the agency respond in a timely manner to medical device attacks with the focus of preserving patient life.

In addition to the playbook, the FDA also signed in a memorandum of Understanding (MOU) that serves to be a formal agreement among the agency, federal, state, and local government agencies and also academic institutions and other entities to help make collaborative efforts more transparent and assign authority or responsibility.