FDA warns: beware malware on medical devices


The Food and Drug Administration (FDA) is recommending that healthcare facilities take steps to assure safeguards are in place to reduce the risk of failure due to cyber attacks, which could be initiated by the introduction of malware into the medical equipment or unauthorized access to configuration settings in medical devices and hospital networks.

The FDA’s safety communication stated: “Many medical devices contain configurable embedded computer systems that can be vulnerable to cyber security breaches. In addition, as medical devices are increasingly interconnected, via the Internet, hospital networks, other medical device, and smartphones, there is an increased risk of cyber security breaches, which could affect how a medical device operates.”

Recently, the FDA has become aware of cyber security vulnerabilities and incidents that could directly impact medical devices or hospital network operations. These include network-connected/configured medical devices infected or disabled by malware; the presence of malware on hospital computers, smartphones and tablets, targeting mobile devices using wireless technology to access patient data, monitoring systems, and implanted patient devices; and uncontrolled distribution of passwords, disabled passwords, hard-coded passwords for software intended for privileged device access.

The FDA has been working closely with other federal agencies and manufacturers to identify, communicate and mitigate vulnerabilities and incidents as they are identified. Its safety communication makes a raft of recommendations designed to mitigate the risk of breaches. You can read the full document here: http://www.fda.gov/medicaldevices/safety/alertsandnotices/ucm356423.htm

FDA, malware, medical devices, healthcare risk management