|A screenshot of the password process for a Thoratec Left|
Ventricular Assist Device (LVAD) provided to Dr. Kevin Fu by
a physician he met on an airplane. What is the hazard analysis
associated with this security mechanism?
I'll update the list below as new information comes in. Here are some juicy quotes.
Computer viruses and other malware increasingly are infecting equipment such as hospital computers used to view X-rays and CT scans and devices in cardiac catheterization labs, agency officials said. The problems cause the equipment to slow down or shut off, complicating patient care. As more devices operate on computer systems that are connected to each other, a hospital network and the Internet, the potential for problems rises dramatically, they said.
- WSJ on "Patients Put at Risk by Computer Viruses"
“We are aware of hundreds of medical devices that have been infected by malware,” or dangerous computer software, said Bill Maisel, a senior official at the FDA’s device unit. Though the agency doesn’t know of deaths or injuries resulting from this, he said, “it’s not difficult to imagine how these types of events could lead to patient harm.”
For instance, previously unreleased Department of Veterans Affairs records show that since 2009, malware infected at least 327 devices at VA hospitals. More than 40 viruses hit devices including X-ray machines and lab equipment made by companies such as General Electric Co., Philips N.V. and Siemens AG.
In one case, a VA catheterization laboratory was temporarily closed in January 2010, VA officials said. At that New Jersey facility, records show that malware had infected computer equipment needed for procedures to open blocked arteries after heart attacks. Separately, at a private Boston hospital, a virus caused a device to potentially expose sensitive patient information by sending it to outside servers.
- WSJ on "Potential Cyberattacks on Implanted Medical Devices Draw Attention"
Worries over medical-device cybersecurity have largely focused on plugged-in equipment primarily used in hospitals, such as computed tomography scanners and heart monitors that are vulnerable to viruses traveling across medical networks.
Reps. Anna Eshoo (D-Calif.) and Edward Markey (D-Mass.) praised the Food and Drug Administration for directing device makers to explain how they will protect their products from hacking or tampering.
"I welcome the FDA's tightening of security standards for medical devices capable of connecting to each other, hospital networks and the Internet," Eshoo said. "Medical devices have resulted in tremendous benefits, but the demonstrated risk from malicious hackers that comes with enhanced connectivity requires a more stringent effort by the FDA and manufacturers to identify, evaluate and plug the potentially serious security holes that exist."
"We already protect our computers and other communications devices from hackers and other cyber threats, and it makes sense to extend those protections to patients and their medical devices," Markey said. "Patients should only have to worry about getting healthier and not about hackers tampering with their device or accessing their information. I have been concerned about this issue for years, and am encouraged that the FDA is taking action on this issue."
- GovInfoSecurity on "FDA Drafts Medical Device Security Guide: Risk Mitigation Tips for Healthcare Providers Also Offered"
Mark Olson, CISO at Beth Israel Deaconess Medical Center in Boston, calls the FDA announcements "a very positive step." He says the FDA "is placing a requirement on the manufacturers to acknowledge that they need to be part of the solution in protecting their equipment at the customers' location. It is a well-balanced approach, placing joint responsibility on the vendor and the user of the products. For security practitioners, the model of joint responsibility is ideal."
A vast array of heart defibrillators, drug infusion pumps, and other medical devices contain backdoors that make them vulnerable to potentially life-threatening hacks, federal officials have warned.
Researchers Billy Rios and Terry McCorkle of Cylance have reported a hard-coded password vulnerability affecting roughly 300 medical devices across approximately 40 vendors. According to their report, the vulnerability could be exploited to potentially change critical settings and/or modify device firmware.
"Hundreds of medical devices have been affected, involving dozens of manufacturers," Maisel said, adding that many were infected by malicious software, or malware.
- William Hyman at AAMI on "FDA Weighs in on Cybersecurity"
- GovInfoSecurity on "Medical Device Vulnerability Alert Issued"
The recently released draft guidance and related alerts about medical device cybersecurity are steps in the right direction, but won't likely result in big changes right away, says Dale Nordenberg, M.D., executive director the of Medical Device Innovation, Safety and Security Consortium.
That's because many healthcare organizations aren't willing to apply OS patches or anti-viral software to medical devices without the approval of the medical device vendors because of fears about liability if something goes wrong, Nordenberg says. At the same time, the medical device makers often can't keep up with testing OS patches on their devices, he adds.
"Guidance alone may be a call to action, but the market can really accelerate best security practices for medical devices," Nordenberg says.
- DotMed on "Medical Devices Riddled with Security Vulnerabilities"