By Ransdell Pierson and Jim Finkle
(Reuters) - The U.S. Food and Drug Administration on Thursday urged medical device makers and medical facilities to upgrade security protections to protect against potential cyber threats that could compromise the devices or patient privacy.
It released that advisory in coordination with a separate alert from the Department of Homeland Security, which disclosed vulnerability in a wide variety of medical equipment that can make those devices vulnerable to remote attacks from hackers.
"Over the past year, we've become increasingly aware of cyber security vulnerabilities in incidents that have been reported to us," William Maisel, deputy director for science at the FDA's Center for Devices and Radiological Health, said in an interview. "Hundreds of medical devices have been affected, involving dozens of manufacturers," Maisel said, adding that many were infected by malicious software, or malware.
But he said all the infections appeared to be unintentional, largely due to malware and computer viruses that were circulating in hospital computer networks and jumped onto the devices.
An alert published on the government's Industrial Control Systems Cyber Emergency Response Team website, cited research from Billy Rios and Terry McCorkle of the cyber security firm Cylance Inc, who said they have identified more than 300 pieces of medical equipment that are vulnerable to cyber attack. They include surgical and anesthesia devices, ventilators, drug infusion pumps, patient monitors and external defibrillators.
The problem with the equipment is that it can be controlled using default passwords that can be obtained with relative ease by motivated hackers, Rios said in an interview. Those passwords give their holders complete control of the devices and in some cases can be used to gain that access remotely via the Internet, he said.
"Somebody could take over the device and make it do whatever they want it to do and it would be almost impossible for hospital staff to know that it had been tampered with," Rios said.
Rios and McCorkle are among a group of security experts who in recent years have suggested that medical devices such as insulin pumps and pacemakers could be vulnerable to hacking.
The FDA on Thursday said it is not aware of any patient injuries or deaths associated with devices and hospital computer networks that have been infected with malware and computer viruses.
In an advisory on its website, however, the FDA said manufacturers, hospitals and patients need to protect themselves better from the introduction of malware in medical equipment and unauthorized access to settings that control devices.
"Many medical devices contain configurable embedded computer systems that can be vulnerable to cybersecurity breaches," the agency said.
The risk of breaches has grown as devices have become increasingly interconnected, via the Internet, hospital networks, other medical devices and smartphones, the FDA said.
"Specifically we recommend that manufacturers review their cybersecurity practices and policies to assure that appropriate safeguards are in place to prevent unauthorized access or modification to their medical devices or compromise of the security of the hospital network that may be connected to the device," the agency said.
Among its recommendations, the FDA said manufacturers need to take steps to limit unauthorized device access to trusted users only, particularly for devices that are "life sustaining" or could be directly connected to hospital networks.
User IDs, passwords and other security controls need to be strengthened, including potential use of biometrics, the agency said. Moreover, manufacturers need to assure that devices recover and continue to work once security has been compromised.
"Cybersecurity incidents are increasingly likely," the FDA said, "and manufacturers should consider incident response plans that address the possibility of degraded operation and efficient restoration and recovery."
The FDA also urged health care facilities to evaluate their network security, including restricting unauthorized access to the network and networked devices.
(Reporting by Ransdell Pierson in New York and Jim Finkle in Boston; Editing by Ros Krasny, Dan Grebler and Bernard Orr)