When cybersecurity is considered, it generally refers to businesses avoiding attacks with anti-virus software or considering the different types of malware that can infect a system. The issue of cyberattacks against medical devices has not always been at the forefront of IT security headlines, but recent incidents have changed that.
Hacking into medical devices has so far only been seen in demonstrations, but it's a legitimate threat. Cyber criminals can, in theory, gain access to devices like insulin pumps and pacemakers causing fatal results.
On June 13, the FDA made a recommendation that all healthcare facilities and medical device manufacturers take the necessary steps to ensure that medical devices are safeguarded from malware attacks and reduce the risk of failure.
While there's no known real-world attacks, the FDA has recently been made aware of vulnerabilities that could impact medical devices and hospital network operations.
The risks include:
- Malware on hospital computers, tablets and mobile devices that use wireless connections
- Lack of security with disabled passwords and uncontrolled password exchanges
- Malware infecting network connected medical devices
- Security software that's not up to date or patched, leading to vulnerabilities
University of Michigan professor of computer science Kevin Fu said that there's currently no science behind research going into looking for cyberattacks in medical devices.
"It takes just a blink of the eye for malware to get in," Fu said. "My opinion is that the greater risk is from malware that accidentally gets into a device rather than the attacks in fictionalized programs."
The FDA suggested that manufacturers ensure devices are accessed by trusted users only, have appropriate security controls in place, and include "fail safe" modes in case a device is compromised.
Similarly, the FDA suggested that healthcare facilities develop security plans in case of malware attacks, monitor network activity and protect network components and run scans regularly. Responding quickly to an incident can help organizations better understand the risk and form more effective responses.