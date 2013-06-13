June 13 The U.S. Food and Drug Administration,
citing potential cyber threats to medical devices, on Thursday
urged medical device makers, hospitals and other medical
facilities to upgrade their protections against attacks that
could disable the devices or compromise patient privacy.
In recent years security experts have suggested that devices
such as insulin pumps or pace-makers could be vulnerable to
hacking, although the agency said it is not aware of any patient
injuries or deaths associated with such attacks.
The FDA issued an advisory that manufacturers, hospitals and
patients need to protect themselves better from the introduction
of malware in medical equipment and unauthorized access to
settings that control devices.
"Many medical devices contain configurable embedded computer
systems that can be vulnerable to cybersecurity breaches," said
the safety communication posted on FDA's website.
The potential risk of cybersecurity breaches is worsened by
the ways that devices are increasingly interconnected, via the
Internet, hospital networks, other medical devices and
smartphones, the FDA said.
"Specifically we recommend that manufacturers review their
cybersecurity practices and policies to assure that appropriate
safeguards are in place to prevent unauthorized access or
modification to their medical devices or compromise of the
security of the hospital network that may be connected to the
device," the agency said.
Among its recommendations, the FDA said manufacturers need
to take steps to limit unauthorized device access to trusted
users only, particularly for devices that are "life sustaining"
or could be directly connected to hospital networks.
User IDs, passwords and other security controls need to be
strengthened, including potential use of biometrics, the agency
said. Moreover, manufacturers need to assure that devices
recover and continue to work once security has been compromised.
"Cybersecurity incidents are increasingly likely," the FDA
said, "and manufacturers should consider incident response plans
that address the possibility of degraded operation and efficient
restoration and recovery."
The FDA also urged health care facilities to evaluate their
network security, including restricting unauthorized access to
the network and networked devices.