FDA, facing cybersecurity threats, tightens medical-device standards
By Lena H. Sun and Brady Dennis, Published: June 12 | Updated: Thursday, June 13, 6:01 AM
The Food and Drug Administration is tightening standards for a wide range of medical devices — from fetal monitors used in hospitals to pacemakers implanted in people — because of escalating concerns that the gadgets are vulnerable to cybersecurity breaches that could harm patients.
Increasingly, officials said, computer viruses and other malware are infecting equipment such as hospital computers used to view X-rays and CT scans as well as devices in cardiac catheterization labs.The security breaches cause the equipment to slow down or shut off entirely, complicating patient care. As more devices operate on computer systems that are connected to each other, the hospital network and the Internet, the potential for problems rises dramatically, they said.
“Over the last year, we’ve seen an uptick that has increased our concern,” said William Maisel, deputy director of science and chief scientist at the FDA’s Center for Devices and Radiological Health. “The type and breadth of incidents has increased.” He said officials used to hear about problems only once or twice a year, but “now we’re hearing about them weekly or monthly.”
The FDA, in an effort to reduce the risks, for the first time is directing device manufacturers to explicitly spell out how they will address cybersecurity. On Thursday, the agency issued draft guidelines that, when finalized later this year, will allow the agency to block approval of devices if manufacturers don’t provide adequate plans for protecting the gadgets and updating their security protections over their commercial lifetimes. The FDA is also issuing a safety communication to manufacturers and hospitals.
The Department of Homeland Security, which is working with the FDA to reduce these vulnerabilities, recently received reports from two researchers that found potential weaknesses in 300 medical devices produced by about 50 vendors, an official said. The department also is planning to release an advisory on medical devices Thursday.
Government officials and patient safety advocates say they do not know of any cases in which patients have been directly injured because of a device compromised by a computer virus. And there is no evidence any implantable devices have been corrupted by viruses or other malware. Nor is there evidence that hackers have deliberately targeted a hospital network or medical device for malicious cyberattacks.
Still, experts say, hospitals and device manufacturers need to use multiple defenses to guard against the threats posed by the Internet.
“There’s almost no medical device that doesn’t have a network jack on the back,” said John Halamka, chief information officer at Beth Israel Deaconess Medical Center in Boston. “To fight the evils of the Internet, not only do you have to have a moat, you have to have a drawbridge, burning oil to pour on attackers, and guys with arrows.”
Hospitals use thousands of medical devices, including ventilators that help patients breathe, monitors that measure a patient’s vital signs, and pumps that deliver medicine. Implantable devices include pacemakers, insulin pumps and defibrillators, many of which can be remotely monitored through a wireless network, making them susceptible to hacking.
Officials said security risks go beyond potential attacks from computer viruses, citing the uncontrolled distribution of passwords for software that is only supposed to be accessed by a few people and the failure by manufacturers to provide timely security software updates.
To be sure, modern medical devices have saved countless lives. But too many medical professionals are in a “complacent denial stage” and brush off problems as completely hypothetical, said Kevin Fu, who heads the Archimedes center for medical-device security at the University of Michigan.
In 2010 and 2011, he said, several hospitals were forced to temporarily close their cardiac catheterization labs because critical devices were infected. In at least one case, a patient had to be moved to another hospital for angioplasty, a procedure that widens blocked arteries.
The equipment problem in one facility was caused when someone plugged a USB drive, a portable device that stores data, into a device and infected it. Fu said he did not have information about the other cases and declined to name the hospitals, because of privacy concerns.
Another problem occurred some years ago at Beth Israel. Fetal monitors for women with high-risk pregnancies were infected by malware that slowed the devices’ response time. No patients were harmed and the problem was eventually fixed, Halamka said. Beth Israel now is one of the most aggressive hospitals in the country in countering cybersecurity risks.
It is nearly impossible to quantify how often cybersecurity incidents involving medical devices occur, because no one really keeps track, officials and experts say. The FDA has a database that allows people to report adverse events. But when medical devices fail, causing problems for patients, the people reporting the problems are usually not trained to identify malware as a cause.
Device manufacturers can solve the problems most easily but have the least incentive, because doing so is expensive, experts said. Hospitals, which buy the devices, want improved security but lack the resources or technical expertise to make the software fixes to the equipment. Experts say manufacturers typically refuse to apply software patches, claiming the FDA does not allow updates to regulated devices, but FDA officials say that is not the case.
“Medical device manufacturers have some of the smartest engineers on the planet,” Fu said. “But cybersecurity is uncharted territory for this industry.”
The federal government’s push for more hospitals and other providers to adopt electronic health records is also likely to increase connectivity — and risk, according to Jim Keller, vice president of health technology evaluation and safety at ECRI Institute, a patient safety organization that works with hospitals to improve medical-device and other technology safety.
“It’s an area that is not being addressed in a significant way by hospitals,” Keller said.
Average consumers expect that “when they go to a health-care institution or provider’s office, that there are laws and rules that the hospital has to comply with to keep the equipment safe from being tampered with and that people are complying,” said Deven McGraw, a health privacy expert at the Center for Democracy & Technology, an advocacy group.
“The reality,” she said, “is a little more complicated.”
At Beth Israel, there are about 15,000 devices on the hospital’s network on a typical day. About 500 of them are running on older operating systems that are most susceptible to malware infection, most often medical devices that are outside the direct control of the hospital, Halamka said.
The hospital uses firewalls to isolate these devices from the Internet. In some cases, smaller manufacturers have agreed to provide software fixes.
The hospital runs scans on the entire network every month to identify new risks and is doubling its information technology budget next year to address cybersecurity risks, Halamka said. But the ultimate answer, he said, is for manufacturers to build their systems in a way that supports the use of anti-virus software and permits fixes.
The Veterans Health Administration has also been among the most aggressive in working to eliminate cybersecurity vulnerabilities. Several years ago, it created a protection program aimed at quickly identifying and eliminating malware and viruses that arise in its tens of thousands of medical devices. It also scans flash drives and other portable media for viruses and limits the number of devices connected to the Internet.
“It’s served us well,” said Lynette Sherrill, deputy director of the Department of Veteran Affairs’ health information security division. “We’re trying to stay ahead of the curve.”
At a VA sleep lab in the Northeast several years ago, all of the computer systems became infected with Conficker malware. The sleep lab had to shut down temporarily and scrambled to move appointments until the problem was fixed.
Industry experts said they will work closely with FDA to address concerns.
Mark Leahey, president of the Medical Device Manufacturers Association, noted that there has been no reports of patients being hurt by security failures but added that the industry want to collaborate with “all the stakeholders” to fix any vulnerabilities.
Bernie Liebler, director of technology and regulatory affairs for the Advanced Medical Technology Association, another trade group, said viruses that infect networks are only one type of vulnerability. Human carelessness, such as leaving a password taped to a computer, is another.
“Ever since I’ve been in this industry, patient safety has been our biggest priority, and I don’t see that changing,” Liebler said. “You can’t get into the business of manufacturing medical devices and not want to make them safe.” He added: “I think FDA is really just trying to get a step ahead. . . . I expect this is going to be a joint effort of a lot of people with the same goal in mind.”
Academic researchers, government officials and industry experts have been ratcheting up their warnings in recent years about the potential vulnerabilities of medical devices.
In March 2012, a public-private federal advisory committee raised concerns about the security of medical devices, particularly those with wireless capabilities, according to its chairman, Daniel Chenok. He wrote to numerous government officials warning that a “lack of cybersecurity preparedness for millions of software-controlled medical devices puts patients at significant risk of harm.” He also noted that no agency had primary responsibility for ensuring the security of medical devices.
“Given the complexity of the technical issues involved, the board finds that diffusion of responsibility when it comes to the cybersecurity of medical devices raises a growing concern,” he wrote.
In May 2012, the Department of Homeland Security issued a bulletin focusing on potential security risks involving medical devices. It noted that the proliferation of wireless technology in the medical world “opens up both new opportunities and new vulnerabilities” and said that protecting “against theft of medical information and malicious intrusion is now becoming a major concern.”
A report issued by the Government Accountability Office this past summer contained similar findings. The agency suggested that the FDA expand and intensify its focus on information security risks.
Several years ago, Fu and other researchers demonstrated how a combination heart defibrillator and pacemaker was vulnerable to computer hacking in a lab. The researchers gained wireless access to the device and reprogrammed it to deliver jolts of electricity that would have potentially been fatal if the device had been in a person.
Fu said he believes the manufacturer fixed the problem, but not before a producer for the television series “Homeland” used it in the plot line for an episode in which the vice president dies after a terrorist hacks into his pacemaker and sends lethal jolts of electricity.