The medical device industry's trade group says that hasn't happened yet. “Despite the fact that there has been no patient harm as the result of either inadvertent or intentional cybersecurity breaches, we understand FDA's desire to be cautious in this area,” Janet Trunzo, senior executive vice president of technology and regulatory affairs for the Advanced Medical Technology Association, said in a statement.
Though the FDA does not believe that specific devices or systems have been purposely targeted, hospitals have been the victims of cyber breaches brought about by increased connectivity and a virus-plagued Internet, or “swamp,” as Halamka calls it.
At Beth Israel, a radiology workstation became infected, putting personal patient data at risk as it was transmitted off the workstation and onto an external server. And a fetal monitor for women with high-risk pregnancies was also infected with malware, slowing the device so much that it was taken out of service.
These kinds of events are exactly why the FDA issued their guidance and why Halamka said this guidance, plus awareness, is essential.
The FDA is recommending that manufacturers implement security controls such as user authentication, stronger passwords, physical locks and card readers. Other suggestions include security patches and restrictions on updates to authenticated code, as well as design approaches that maintain a device's critical functionality even in the event of an attack or breach.
Healthcare facilities, according to the FDA, should restrict unauthorized access to networks and devices, update antivirus software and firewalls, monitor network activity and also develop strategies to maintain critical functionality when security is compromised.
“It's a really important responsibility for the clinical engineering professional to take on in collaboration with IT to address these risks,” said James Keller, vice president of health technology evaluation and safety at ECRI Institute. “A really simple thing that hospitals really need to do is have a good understanding of what medical devices are connected to their network.”
The FDA is also requesting that manufacturers and healthcare personnel report cybersecurity events to MedWatch, their Safety Information and Adverse Event Reporting program, so as to identify vulnerabilities and reduce future incidents.
Follow Rachel Landen on Twitter: @MHrlanden