Cyber-threat: FDA warns of medical device malware

Amid growing concern over malware and unauthorized access to medical devices, the FDA has issued a safety communication warning device manufacturers and healthcare facilities to take steps to guard against cyberattacks.

“Many medical devices contain configurable embedded computer systems that can be vulnerable to cybersecurity breaches,” read the statement. “In addition, as medical devices are increasingly interconnected, via the Internet, hospital networks, other medical devices, and smartphones, there is an increased risk of cybersecurity breaches, which could affect how a medical device operates.”

Malware—a term that runs the gamut from computer viruses to pesky spyware programs—represents a major problem for healthcare, where patient information is sacred and medical devices are literal life-savers. Hundreds of malware issues have impacted hospital computers or devices. In a scenario ripped straight from a Hollywood thriller, it appears it may also be possible to hack into a person’s pacemaker, causing it to deliver a lethal shock.

Despite the potential for harm, the FDA said it is not aware of any patient injuries or deaths associated with such incidents, and it has gotten no indication that such targeted attacks have been attempted. The FDA says it is working with other agencies and manufacturers to identify additional vulnerabilities, but is already aware of the following:

  • Network-connected medical devices infected or disabled by malware;
  • Unauthorized access of patient data, monitoring systems and implanted devices through the use of wireless technology;
  • Uncontrolled distribution of passwords;
  • Security software that is not up-to-date, and medical devices and networks requiring software patches; and
  • Security vulnerabilities in off-the-shelf software such as plain-text or no authentication, hard-coded passwords, documented service accounts in service manuals, and poor coding/SQL injection.

Heart attack

In the Showtime series Homeland, a character is assassinated by a shock from his pacemaker. The killer had learned the serial number on his target’s device, and was then able to remotely deliver the deadly jolt.

While it may seem far-fetched, experts have claimed such an attack is possible. Barnaby Jack, director of embedded device security for computer security firm IOActive—who gained notoriety by publicly displaying his ability to hack into an ATM machine—wrote in a blog post, “My first thought after watching this episode was ‘TV is so ridiculous! You don't need a serial number!’” Kevin Fu, PhD, of the University of Massachusetts, Amherst, and colleagues demonstrated the potential for a remote attack on an implantable medical device at the 2008 Institute of Electrical and Electronics Engineers Symposium on Security and Privacy.

The Department of Veterans Affairs has reported that since 2009, malware has infected at least 327 devices at VA hospitals, according to the Wall Street Journal.

Shoring up defenses

Before malware in healthcare can be combated, more must be learned about the scope of the problem. It’s likely that there have been instances where malicious software has caused issues in a device or network, but the problem was blamed on a more benign software or hardware glitch. FDA recall databases may not be equipped to accurately track security or privacy issues, according to an article published July 19, 2012, in PLoS One. In that article, Daniel B. Kramer, MD, of Beth Israel Deaconess Medical Center in Boston, and colleagues scanned FDA data from 2002 through 2011 and found zero recalls and only one adverse event related to patient security or privacy.

“While the lack of any security or privacy concerns through these two mechanisms may be reassuring, it seems more likely that the current recall classification scheme does not adequately capture device malfunctions of this type,” wrote Kramer and colleagues, who urged federal regulators to rethink how to collect data on security concerns in medical devices.

The FDA offered its own suggestions to device manufacturers and healthcare facilities in its recent statement. It reminded manufacturers to be vigilant about cybersecurity as they are responsible for addressing risks to patient safety. The FDA expects manufacturers to take steps to limit unauthorized access to devices and recommended strategies for active security protection such as timely deployment of security patches.

Healthcare facilities also should take steps to restrict unauthorized access to networks and devices, while maintaining antivirus software and firewalls, according to the FDA. If a cybersecurity problem related to a medical device is detected, providers should contact the manufacturer and the FDA. “Prompt reporting of adverse events can help the FDA identify and better understand the risks associated with medical devices. If you suspect that a cybersecurity event has impacted the performance of a medical device or has impacted a hospital network system, we encourage you to file a voluntary report through MedWatch, the FDA Safety Information and Adverse Event Reporting program.”