FDA Advises Drastic Healthcare Change To Combat Cybersecurity Risks

Recently, Dunbar Cybersecurity wrote about the healthcare industry’s cybersecurity woes and how healthcare organizations can solve their problems to combat cybersecurity risks. Today, I’d like to follow up on that report in light of a recent FDA recommendation. The FDA advised that“medical device manufacturers and health care facilities take steps to assure that appropriate safeguards are in place to reduce the risk of failure due to cyberattack, which could be initiated by the introduction of malware into the medical equipment or unauthorized access to configuration settings in medical devices and hospital networks.”

Simply put, it’s time for health care providers to take a look at their cybersecurity solutions—or lack thereof. The FDA is seriously concerned with the vulnerability of medical devices, as they contain configurable embedded computer systems. Truly, the healthcare industry faces an increasing risk of cybersecurity breaches as medical devices become progressively interconnected. With access to the internet, hospital networks, other medical devices, and smartphones, these devices pose an incredible risk to the security of sensitive patient information and even the functioning of hospitals.

Their concern is certainly not unfounded. Medtronic Inc, the world’s largest stand-alone medical device maker, reported in a regulatory filing on June 20 that it was the victim of a cyber-attack and lost some patient records in separate incidents last year. Tom Kellermann, chief security officer with Trend Micro Inc., has rightfully declared that “the security posture of most device manufacturers is in critical condition.”

The FDA clearly shares his concern and apprehension for the future of medical devices. It reported multiple concerns regarding cybersecurity vulnerabilities and incidents that could directly impact the operations of hospital networks. For instance, hackers could compromise devices through:

  • Malware on hospital computers, smartphones, and tablets that would give hackers access to patient data, monitoring systems, and implanted patient devices
  • Uncontrolled distribution of passwords, disabled passwords, hard-coded passwords for software intended for privileged device access (e.g., to administrative, technical, and maintenance personnel)
  • Security vulnerabilities in off-the-shelf software designed to prevent unauthorized device or network access, such as plain-text or no authentication, hard-coded passwords, documented service accounts in service manuals, and poor coding/SQL injection
  • Failure to provide timely security software updates and patches to medical devices and networks and to address related vulnerabilities in older medical device models (legacy devices)

As Chris Ensey discussed in his post in June, the healthcare industry’s computer systems suffer from irregular security updates and embedded systems not visible to the naked eye. Many devices still run on Windows XP, though Microsoft no longer supports it. This is incredibly dangerous, particularly when many individuals’ personal data and information is stored on these systems.

The easiest way to begin to secure your network is with a full and comprehensive assessment of your organization’s risk. Once embedded systems have been identified, they must be isolated to limit the opportunity for hackers to exploit vulnerable software bugs. Even then, continuous monitoring of these systems is required to identify and block cyber-attacks. If you do not have a security provider who offers these services, Dunbar can help.