Medical Devices Vulnerable to Remote Cyber Tampering, FDA Warns

Ale Espinosa This post is not suited for the faint-hearted … especially those wearing a medical device.

The U.S. Food and Drug Administration (FDA) has issued cybersecurity recommendations for medical device manufacturers and user facilities, hospitals, health care IT and procurements staff, and biomedical engineers, following news of security issues in certain fetal monitors and software used in body fluid analysis.

According to the FDA’s safety communication issued last week, there are strong concerns regarding medical devices and hospital networks’ vulnerability to malware, as well as with the unauthorized access to their configuration settings. Among the devices and systems at greater risk are those that are network-connected or configured, hospital computers, smartphones and tablets, and password databases, among others.

“Cybersecurity incidents are increasingly likely and manufacturers should consider incident response plans that address the possibility of degraded operation and efficient restoration and recovery,” stated the FDA in its safety communication. FDA officials also asked companies to develop security controls that would protect the confidentiality and integrity of data and limit malfunctions in the event of computer viruses.

At Guidance Software, our work becomes exponentially gratifying and fulfilling when we know our software is used to help prevent incidents that may have otherwise endangered the lives of many. Our incident response and sensitive data discovery solution, EnCase Cybersecurity, was designed to aid in situations like these by:

• Enabling sensitive data audits to help locate and wipe confidential data from unauthorized computers – hence protecting patient privacy and access to restricted information that, in the case of medical devices, could be used to alter their configuration settings
• Accelerating the incident response process by reducing the time it takes to identify, validate, triage and remediate malware threats and security breaches – which can prevent or contain the possible damage of a cyber attack

The FDA is not aware of any patient injuries or deaths associated with these incidents nor have they received indication that any specific devices or systems in clinical use have been purposely targeted. With software like EnCase Cybersecurity out in the market, we are hoping it stays that way.

To read more about the FDA Safety Communication: Cybersecurity for Medical Devices and Hospital Networks, visit the FDA’s website.