US FDA recommends manufacturers protect medical devices against cyber attacks

16 June 2013 (Last Updated June 16th, 2013 18:30)

The U.S. Food and Drug Administration has urged medical device makers, hospitals and other medical facilities to boost their protection systems against cyber attacks, which could affect how a medical device operates or compromise the safety and privacy of patients.

The US Food and Drug Administration (FDA) has urged medical device makers, hospitals and other medical facilities to boost their protection systems against cyber attacks, which could affect how a medical device operates or compromise the safety and privacy of patients.

Several medical devices contain configurable embedded computer systems, which could be vulnerable to cybersecurity threats.

As medical devices become more interconnected via the internet, hospital networks, other medical devices and smartphones, there is an increased risk of cybersecurity breaches, which could ultimately affect the way a medical device operates.

Cyberattacks could be initiated either with the introduction of malware into the medical equipment or through unauthorised access to configuration settings in medical devices and hospital networks.

However, the FDA is currently not aware if such cyberattacks have led to any patient injuries or deaths, nor does it have any indication that any specific devices or systems that are in clinical use have been deliberately targeted.

"Several medical devices contain configurable embedded computer systems, which could be vulnerable to cybersecurity threats."

The FDA noted that it is working closely with other federal agencies and manufacturers to identify, communicate and reduce the incidents as and when they are identified.

It has also warned manufacturers that they are responsible for identifying risks associated with their medical devices, including those related to cybersecurity, and for having appropriate safeguards in place to address the safety and privacy of patients in addition to ensuring the proper functioning of devices.

The FDA has recommended manufacturers to conduct a review of their cybersecurity policies periodically in order to ensure appropriate systems are in place.

The scope to which such security controls are required depends on the medical device, its environment of use, the type of the risks it could be exposed to and the probable risks to patients from a security attack.