FDA Encouraging Hackers to Submit Medical Device Cybersecurity Flaws
On June 13, 2013, the Food and Drug Administration issued a safety communication to medical device manufacturers, hospitals, medical device user facilities, health care IT and biomedical engineers advising them to take steps to secure cybersecurity for medical devices and hospital networks. The FDA warned that as medical devices are increasingly interconnected, via the internet or wireless devices, there is an increased risk of cybersecurity breaches, which could affect how a medical device operates.
The FDA advised that it has become aware of cybersecurity vulnerabilities and incidents where networked or wireless medical devices have been infected or disabled by malware from hospital computers, smartphones and other mobile devices using wireless technology. Moreover, the failure to provide timely security software updates in older devices has also presented security vulnerabilities. The FDA is not aware of any patient injuries or deaths associated with these types of incidents.
In addition to reaching out to medical device manufacturers and health providers, the FDA is also inviting computer hackers who have successfully uncovered security flaws to submit their findings. For instance, a security analyst discovered a software bug in his insulin pump that could allow hackers to take remote control of the device. Another security researcher reported to the FDA that he was able to force some insulin pumps to dispense fatal insulin doses from 300 feet away. These reported incidents have prompted FDA investigations.
These security risks may usher in new litigation regarding potential liability for damages resulting from medical device cybersecurity breaches. Manufacturers should remain vigilant about identifying cybersecurity risks and take appropriate steps to limit opportunities for unauthorized access to medical devices. Further, manufacturers and providers should review cybersecurity policies and practices to ensure that appropriate safeguards are in place to prevent unauthorized access or modification, as well as having being prepared to respond in the event of a security breach.