Hospitals can’t wait for medical devices to be fully secure

Print Friendly, PDF & Email

Dangerous bugs identified before
they harm or kill anyone won’t have
to be reported to the FDA as long
as the manufacturer tells customers
and device users about the bug
within 30 days, fixes it within 60
days, and shares information about
the vulnerability with an ISAO.

The US Food & Drug Administration (FDA) has recently issued a final set of nonbinding recommendations on the digital security of medical devices. In a (pdf) document issued late last year, the FDA stated:

A growing number of medical devices are designed to be networked to facilitate patient care. Networked medical devices, like other networked computer systems, incorporate software that may be vulnerable to cybersecurity threats. The exploitation of vulnerabilities may represent a risk to health and typically requires continual maintenance throughout the product life cycle to assure an adequate degree of protection against such exploits. Proactively addressing cybersecurity risks in medical devices reduces the overall risk to health.

The FDA last issued set of recommendations for medical devices in October of 2014. Although the set of recommendations are nonbinding, the manufacturers are required to notify the FDA if a flaw in a device led to a patient being harmed.

Suzanne Schwartz, MD MBA
CDRH Associate Director
for Science and Strategic
Partnerships at FDA

In a blog post by Suzanne Schwartz, the FDA summarized some of the key recommendations:

• Have a way to monitor and detect cybersecurity vulnerabilities in their devices
• Understand, assess and detect the level of risk a vulnerability poses to patient safety
• Establish a process for working with cybersecurity researchers and other stakeholders to receive information about potential vulnerabilities (known as a “coordinated vulnerability disclosure policy”)
• Deploy mitigations (e.g., software patches) to address cybersecurity issues early, before they can be exploited and cause harm

The FDA also states:

… it is paramount for manufacturers and stakeholders across the entire ecosystem to consider applying the National Institute of Standards and Technology’s (NIST) core principles for improving critical infrastructure cybersecurity: to identify, protect, detect, respond and recover. It is only through application of these guiding principles, executed alongside best practices such as coordinated vulnerability disclosure, that will allow us all to navigate this uncharted territory of evolving risks to device security.

It is clear that the FDA is seriously evaluating these vulnerabilities and the associated risks to patients. This is a welcome step in standardizing digital security in medical devices, and such standardization should be replicated throughout the world. However, hospitals and other medical facilities cannot just wait until devices become secure and safe. They must build resilient infrastructures that protect their patients from attack and exploitation. Many of these facilities are not prepared to run networks populated by guests, patients, staff, crucial medical data and applications, administrative data and applications, a growing number of medical apparatuses, and now an inflationary growing number of wearable devices.

A truly secure medical network infrastructure likely contains more firewalls than patients. ~Wieland AlgeClick To Tweet

This type of sophisticated connectivity needs a sophisticated layered security approach with micro segmentation and perimeterization as its core paradigms. The patient wearing a monitoring device, being checked by an apparatus while watching a movie on her ipad, must be connected to three different realms at the same time. A truly secure network infrastructure likely contains more firewalls than patients.

Here are some articles for more information on this topic:

For more information on layered security and Barracuda Total Threat Protection, visit our corporate website here.

Scroll to top