Medical device cyber-safety rules issued by US watchdog

Diana Princess of Wales Hospital

Image caption

Operations at hospitals across Lincolnshire were delayed thanks to a malware infection

Hackers are “continuously” targeting medical devices and hospitals, the US Federal Drug Administration has warned.

The alert comes in new FDA rules that define how medical equipment makers should tackle cyber-threats.

Manufacturers should be constantly vigilant, said the watchdog, and make sure they can patch the flaws found in gadgets.

Its rules come at the end of a year that saw flaws found in many medical devices, and hospitals hit by malware.

Death notice

“Cyber-security threats are real, ever-present, and continuously changing,” wrote Dr Suzanne Schwartz, FDA associate director at its centre for devices and radiological health, in a blog.

“Hospital networks experience constant attempts of intrusion and attack, which can pose a threat to patient safety.”

To tackle threats to devices in hospitals or worn by patients manufacturers needed to think about security throughout a product’s entire lifecycle, wrote Dr Schwartz.

In addition, she said, they needed to:

  • constantly monitor threats
  • detect vulnerabilities in the code their devices run
  • assess the potential dangers the products pose
  • make sure they can update gadgets to close any loopholes

Manufacturers should also become more comfortable working with security researchers who scrutinise gadgets for flaws, she said. Some researchers were threatened with legal action after highlighting a flaw.

Researchers have uncovered problems in many products, including defibrillators and drug infusion pumps. Some have also documented attacks on larger pieces of equipment such as MRI scanners.

Many hospitals also fell victim to ransomware attacks in 2016 – software that made their data unintelligible and demanded a payment to restore it to its prior state.

Image copyright

Image caption

Many people use wearable or implanted gadgets to manage conditions like diabetes

In some cases operations and other procedures were cancelled because computer systems were knocked out by malware.

“As hackers become more sophisticated, these cyber-security risks will evolve,” wrote Dr Schwartz.

The FDA pointed out that the rules are not legally binding but instead represent its advice to manufacturers.

However, the guidance said manufacturers had to notify the regulator if a flaw in a product led to someone being harmed or killed.

Security researcher Beau Woods said the FDA had been instrumental in getting healthcare organisations, manufacturers and cyber experts talking about how to tackle and fix vulnerabilities.

“If you look at the general trend over the last few years we are getting better and we are fixing them faster than we were before,” said Mr Woods, who is a member of an organisation called I Am The Cavalry that researches and advises on cyber issues that effect public safety.

This had led to many manufacturers adopting good vulnerability disclosure schemes and to some organisations that buy a lot of medical equipment demanding higher standards from their suppliers.

However, he said, the hyper-connectedness of all organisations including hospitals meant devices never meant to be online were now accessible via the net.

Mr Woods said he had seen attacks aimed at stealing personal data accidentally knock out older medical equipment that helped monitor vital life signs.

“It’s those types of things that scare me much more than someone lurking in the shadows,” said Mr Woods who is deputy director of the cyber statecraft initiative at the Atlantic Council think tank.

The FDA rules have been issued days before the start of the massive CES tech show in Las Vegas.

Gadgets that help people live healthier lives or let them manage chronic conditions, such as diabetes, are expected to feature strongly at the show.