By Lena H. Sun and Brady Dennis
Researchers use an artificial cadaver to test the security of medical devices, such as pacemakers and defibrillators. / JOSEPH XU/MICHIGAN ENGINEERING COMMUNICATIONS & MA
WASHINGTON — The Food and Drug Administration is tightening standards for a wide range of medical devices – from fetal monitors used in hospitals to pacemakers implanted in people – because of escalating concerns that the gadgets are vulnerable to cybersecurity breaches that could harm patients.
Increasingly, officials said, computer viruses and other malware are infecting equipment such as hospital computers used to view X-rays and CT scans as well as devices in cardiac catheterization labs. The security breaches cause the equipment to slow down or shut off entirely, complicating patient care. As more devices operate on computer systems that are connected to each other, the hospital network and the Internet, the potential for problems rises dramatically, they said.
“Over the last year, we’ve seen an uptick that has increased our concern,” said William Maisel, deputy director of science and chief scientist at the FDA’s Center for Devices and Radiological Health. “The type and breadth of incidents has increased.” He said officials used to hear about problems only once or twice a year, but “now we’re hearing about them weekly or monthly.”
The FDA, in an effort to reduce the risks, for the first time is directing device manufacturers to explicitly spell out how they will address cybersecurity. Last week, the agency issued draft guidelines that, when finalized later this year, will allow the agency to block approval of devices if manufacturers don’t provide adequate plans for protecting the gadgets and updating their security protections over their commercial lifetimes. The FDA is also issuing a safety communication to manufacturers and hospitals.
The Department of Homeland Security, which is working with the FDA to reduce these vulnerabilities, recently received reports from two researchers that found potential weaknesses in 300 medical devices produced by about 50 vendors, an official said. The department also is planning to release an advisory on medical devices Thursday.
Government officials and patient safety advocates say they do not know of any cases in which patients have been directly injured because of a device compromised by a computer virus. And there is no evidence any implantable devices have been corrupted by viruses or other malware. Nor is there evidence that hackers have deliberately targeted a hospital network or medical device for malicious cyberattacks.
Still, experts say, hospitals and device manufacturers need to use multiple defenses to guard against the threats posed by the Internet.
“There’s almost no medical device that doesn’t have a network jack on the back,” said John Halamka, chief information officer at Beth Israel Deaconess Medical Center in Boston. “To fight the evils of the Internet, not only do you have to have a moat, you have to have a drawbridge, burning oil to pour on attackers, and guys with arrows.”
Hospitals use thousands of medical devices, including ventilators that help patients breathe, monitors that measure a patient’s vital signs, and pumps that deliver medicine. Implantable devices include pacemakers, insulin pumps and defibrillators, many of which can be remotely monitored through a wireless network, making them susceptible to hacking.
Officials said security risks go beyond potential attacks from computer viruses, citing the uncontrolled distribution of passwords for software that is only supposed to be accessed by a few people and the failure by manufacturers to provide timely security software updates.
To be sure, modern medical devices have saved countless lives. But too many medical professionals are in a “complacent denial stage” and brush off problems as completely hypothetical, said Kevin Fu, who heads the Archimedes center for medical-device security at the University of Michigan.
In 2010 and 2011, he said, several hospitals were forced to temporarily close their cardiac catheterization labs because critical devices were infected. In at least one case, a patient had to be moved to another hospital for angioplasty, a procedure that widens blocked arteries.
The equipment problem in one facility was caused when someone plugged a USB drive, a portable device that stores data, into a device and infected it. Fu said he did not have information about the other cases and declined to name the hospitals, because of privacy concerns.
It is nearly impossible to quantify how often cybersecurity incidents involving medical devices occur, because no one really keeps track, officials and experts say. The FDA has a database that allows people to report adverse events. But when medical devices fail, causing problems for patients, the people reporting the problems are usually not trained to identify malware as a cause.
Device manufacturers can solve the problems most easily but have the least incentive, because doing so is expensive, experts said.
“Medical device manufacturers have some of the smartest engineers on the planet,” Fu said. “But cybersecurity is uncharted territory for this industry.”
The federal government’s push for more hospitals and other providers to adopt electronic health records is also likely to increase connectivity – and risk, according to Jim Keller, vice president of health technology evaluation and safety at ECRI Institute, a patient safety organization that works with hospitals to improve medical-device and other technology safety.
“It’s an area that is not being addressed in a significant way by hospitals,” Keller said.
Average consumers expect that “when they go to a health-care institution or provider’s office, that there are laws and rules that the hospital has to comply with to keep the equipment safe from being tampered with and that people are complying,” said Deven McGraw, a health privacy expert at the Center for Democracy & Technology, an advocacy group.
“The reality,” she said, “is a little more complicated.”
The Veterans Health Administration has also been among the most aggressive in working to eliminate cybersecurity vulnerabilities. Several years ago, it created a protection program aimed at quickly identifying and eliminating malware and viruses that arise in its tens of thousands of medical devices. It also scans flash drives and other portable media for viruses and limits the number of devices connected to the Internet.
“We’re trying to stay ahead of the curve,” said Lynette Sherrill, deputy director of the Department of Veteran Affairs’ health information security division.