Medical device hack-attack issues resurface

Three medical-device makers have been identified by unnamed sources as having their products under review by an arm of the Homeland Security Department for possible cybersecurity vulnerabilities, according to a published report.

But for the feds, providers and the devicemakers, the issue of vulnerabilities in medical devices is not a new one, according to industry experts.

Wanda Moebius, spokeswoman for the Advanced Medical Technology Association, a trade group for medical device manufacturers, declined to comment about what Homeland Security may or may not be looking into, but she added its interest is longstanding.

While “the risk of a malicious cyberattack is extremely low” compared to the benefits of the technology, “even so, manufacturers take seriously the need to continuously assess the security of these devices in a world where the risks, no matter how remote, evolve,” the association said in a statement,

“Both the manufacturers and the entire healthcare system that uses advanced medical technologies need to be aware of the potential for cybersecurity breaches,” the statement said.

Moebius and federal authorities, in their several statements about medical-device cybersecurity vulnerabilities, insist there are no known instances in which a vulnerability has been exploited by hackers to attack or harm patients.

But that doesn't mean an attack can't happen, said Michael “Mac” McMillan, CEO of security consulting firm CynergisTek. When a hospital system buys 500 hackable pumps or monitors that it connects to its IT network, it introduces 500 more places where that network is at risk, he warned.

The feds, providers and the devicemakers have known about these vulnerabilities for years, and providers have complained about them, McMillan said. The problem with the feds' response so far is that it's had “no teeth,” he said.

The Food and Drug Administration in 2013 issued a warning that it had learned of “cybersecurity vulnerabilities and incidents that could directly impact medical devices or hospital network operations” and issued advice on how providers could protect themselves.

Earlier this month, the FDA followed up, issuing a final guidance asking medical-device makers to address cybersecurity issues during product development and to monitor the devices once they're on the market.

“The FDA guidance is just that, a guidance,” McMillan said. Manufacturers and providers are not obliged to follow it.

Security standards to address the vulnerabilities exist, he said. What's needed is an enforceable system similar to the one used with electronic health-record systems under the EHR incentive payment program that would test and certify devices for compliance to those security standards, and then mandate their use, McMillan said.

The latest report on possible vulnerabilities identified Homeland Security's Industrial Control Systems Cyber Emergency Response Team as conducting the review.

The agency is working with manufacturers to find and fix “bugs and other vulnerabilities that hackers can potentially use to expose confidential data or attack hospital equipment,” Reuters reported.

In June 2013, the response team issued an alert that researchers identified approximately 300 medical devices from about 40 vendors with password vulnerabilities.

Devices at risks included surgical and anesthesia devices, ventilators, drug infusion pumps, external defibrillators, patient monitors and laboratory and analysis equipment.

Follow Joseph Conn on Twitter: @MHJConn