FDA orders medical-device makers to detail cybersecurity efforts
The security analysts wanted to know how easy it would be to hack into medical devices used in hospitals, knowing the danger if outsiders could gain control. They found the answer when they managed to figure out hundreds of restricted passwords for equipment that included surgical and anesthesia devices, patient monitors and lab analysis tools.
“We stopped after we got to 300,” said Billy Rios, who found the passwords with his colleague Terry McCorkle.
They alerted the federal government about what they had done, contributing to the Food and Drug Administration’s decision to tighten the standards for a range of medical devices. The FDA’s move, announced yesterday, reflects growing concerns that the gadgets – which include everything from fetal monitors used in hospitals to pacemakers implanted in people – are vulnerable to cybersecurity breaches that could harm patients.
Computer viruses and other malware increasingly are infecting equipment such as hospital computers used to view X-rays and CT scans and devices in cardiac catheterization labs, agency officials said. The problems cause the equipment to slow down or shut off, complicating patient care. As more devices operate on computer systems that are connected to each other, the hospital network and the internet, the potential for problems rises dramatically, they said.
“Over the last year, we’ve seen an uptick that has increased our concern,” said William Maisel, deputy director of science and chief scientist at the FDA’s Center for Devices and Radiological Health. “The type and breadth of incidents has increased.” He said officials used to hear about problems only once or twice a year, but “now we’re hearing about them weekly or monthly.”
The FDA, in an effort to reduce the risks, for the first time is directing device manufacturers to explicitly spell out how they will address cybersecurity. The agency yesterday issued draft guidelines that, when finalized this year, will allow the FDA to block approval of devices if manufacturers don’t provide adequate plans for protecting them. The agency also issued a safety communication to manufacturers and hospitals.
In addition to viruses and malware, security risks include the uncontrolled distribution of passwords for software that is supposed to be accessed only by a few people and the failure by manufacturers to provide timely security software updates.
In a public alert yesterday, the Department of Homeland Security, which is working with the FDA, credited Rios and McCorkle – both of whom work for Cylance, a cybersecurity firm – for their research on devices and passwords. Unauthorized access to passwords could allow critical settings to be changed, affecting how devices operate and what they do, the alert said.
The two security experts created a spreadsheet listing the device passwords they obtained and the 50 manufacturers that made the equipment. The DHS and FDA are working with the manufacturers to verify whether the potential risks from the passwords “are indeed actual vulnerabilities,” Maisel said.
There is no evidence, he said, that any hackers have deliberately targeted a hospital network or medical device for a malicious cyberattack. He cautioned that passwords alone may not be enough “to cause a security issue for a device.”
Government officials and patient safety advocates say they do not know of any cases in which patients have been directly injured because of a device compromised by a computer virus. And there is no evidence any implantable devices have been corrupted by viruses or other malware.
Still, experts say, hospitals and device manufacturers can’t afford to be complacent. They need to use multiple defenses to guard against the threats posed by the internet.
In addition to the wide array of hospital devices, implantable devices such as pacemakers, insulin pumps and defibrillators can be remotely monitored through wireless networks, making them susceptible to hacking.
“There’s almost no medical device that doesn’t have a network jack on the back,” said John Halamka, chief information officer at Beth Israel Deaconess Medical Center in Boston. “To fight the evils of the internet, not only do you have to have a moat, you have to have a drawbridge, burning oil to pour on attackers, and guys with arrows.”
Kevin Fu, who heads the Archimedes Center for Medical Device Security at the University of Michigan, said that several hospitals in 2010 and 2011 were forced to temporarily close their cardiac catheterization labs, which typically perform procedures to widen blocked arteries, because critical devices were infected with malware. At least one patient had to be moved to another hospital.
At Beth Israel some years ago, fetal monitors for women with high-risk pregnancies were infected with malware that slowed the devices’ response time. Patients were not harmed and the problem was eventually fixed, Halamka said. Now the hospital is one of the most aggressive in the country in countering cybersecurity risks.
The FDA has a database for reports of adverse events, but quantifying cybersecurity incidents involving medical devices is nearly impossible. People reporting problems are usually not trained to identify malware as a cause.
Device manufacturers can solve the problems most easily but have the least incentive, because doing so is expensive, experts said. Hospitals, which buy the devices, want improved security but often lack the resources or technical expertise to make the software fixes to the equipment. Experts say manufacturers typically refuse to apply software patches, claiming the FDA does not allow updates to regulated devices, but FDA officials say that is not the case.
At Beth Israel, about 15,000 devices run on the hospital’s network on a typical day. About 500 of them are using older operating systems most susceptible to malware infection, most often medical devices outside the direct control of the hospital, Halamka said.
The hospital isolates these devices from the internet and scans its entire network monthly to find new risks. It is doubling its information technology budget next year.
The Veterans Health Administration created a protection program several years ago to eliminate malware and viruses. The federal agency scans flash drives and other portable media for viruses and limits the number of devices connected to the internet.
The ultimate answer, many experts said, is for manufacturers to build their systems in a way that supports the use of anti-virus software and permits fixes.
Mark Leahey, president of the Medical Device Manufacturers Association, said the industry wants to work with “all the stakeholders” to fix weaknesses.
Bernie Liebler, director of technology and regulatory affairs for the Advanced Medical Technology Association, another trade group, said patient safety is industry’s biggest priority.
Academic researchers, government officials and industry experts have ratcheted up warnings in recent years. A public-private federal advisory committee noted last year that no agency had primary responsibility for medical device security. Also last year, the DHS and the Government Accountability Office issued reports about potential problems.
Several years ago, Fu and other researchers demonstrated in a lab how a combination heart defibrillator and pacemaker was vulnerable to computer hacking. The researchers gained wireless access to the device and reprogrammed it to deliver jolts of electricity that would have potentially been fatal if the device had been in a person.
Fu said he believes that the manufacturer fixed the problem, but not before a producer for the television series “Homeland” used it in the plot line for an episode in which the vice president dies after a terrorist hacks into his pacemaker and generates lethal jolts of electricity.