Ineffective Cybersecurity Poses Risks for Medical Device Safety

December 11, 2015

The FDA is exploring with stakeholders ways to ward off cybersecurity threats, as wireless, network-connected medical devices are increasingly used and health information is frequently exchanged electronically.

The agency will hold a public workshop on Jan. 20-21 to discuss a voluntary, risk-based framework to mitigate cybersecurity risks for devices. The Framework for Improving Critical Infrastructure Cybersecurity, developed by the National Institute of Standards and Technology, has been used within the healthcare and public health sector to reduce cybersecurity risks.

During the workshop, the FDA will also seek input on how to adapt the Common Vulnerability Scoring System assessment tool for medical devices. Manufacturers can manage the impact of vulnerability by using the CVSS, but incorporating the tool into assessments for medical devices has proven to be a challenge because it does not directly incorporate patient risk, says the FDA.

If device cybersecurity vulnerabilities are exploited, products could malfunction, healthcare services could be disrupted and patient information could be compromised, the FDA says.

The FDA’s announcement of the upcoming workshop follows a recent report by Forrester Research predicting that as early as next year hackers will target medical devices for cyber extortion, such as GPS-enabled asthma inhalers to wearable tech-tattoos that monitor vital functions. But, one expert says better candidates would be large machines like MRIs or CAT scanners — systems that directly interact with the health electronic record (IDDM, Dec. 4).

Like all computer systems, medical imaging devices are subject to risks that may harm software, hardware or data security. As imaging systems become increasingly connected to networks, security risks move beyond the system itself to intrusions across digital networks, says the Medical Imaging & Technology Alliance.

In a recently released white paper, MITA says medical imaging manufacturers should prioritize cybersecurity best practices on incident risk mitigation. Manufacturers should consider options for robust, yet rapid authentication, including passwords allowing long strings, access options for smart cards and biometric identification.

More information on the FDA’s workshop Moving Forward: Collaborative Approaches to Medical Device Cybersecurity is here: www.fdanews.com/12-15-FDA-Cybersecurity.pdf. MITA’s white paper Cybersecurity for Medical Imaging can be accessed here: www.medicalimaging.org/2015/11/05/nema-publishes-nemamita-csp-1-2015-cyber-security-for-medical-imaging/. — Jonathon Shacat