FDA: Cyberattacks make healthcare 'hostile environment' for security

With healthcare cyber attacks on the rise, the Food and Drug Administration is shifting its concern to a largely untargeted, yet vulnerable, area: medical devices.

Here are six things to know.

1. The FDA is concerned medical devices and the technology behind them do not offer enough cybersecutity.

"This is what we said to manufacturers: one should consider the environment a hostile environment, there are constant attempts at intrusion ... and they have to be hardened," Suzanne Schwartz, associate director for science and strategic partnerships at the FDA's Center for Devices and Radiological Health, told The Hill.

2. Terry Rice, vice president of IT risk management and chief information security officer at Merck & Co., discussed the vulnerabilities with the House Energy and Commerce Oversight and Investigations Subcommittee last week.

"Vulnerabilities in pacemakers and insulin pumps can be exploited to cause potentially lethal attacks and we have witnessed entire hospitals in the U.S. and U.K. shutting down for multiple days to combat ransomware infections in critical systems," he said.

3. Mr. Rice — a member of the Healthcare Industry Cybsecurity Task Force — also said cybersecutiy issues are "significantly underreported," according to The Hill.

"Organizations are unlikely to report security incidents if not required to do so given the potential reputational harm that might occur," he said. "The reports we read about are only a small fraction of the incidents that actually occur."

4. Both the FDA and devicemakers are adding cybersecurity experts to their team to improve security measures, according to Zach Rothstein, associate vice president at the Advanced Medical Technology Association.  

"You're starting to see FDA hire software experts so that internally they have more capabilities to evaluate cyber security programs of these companies," he told The Hill. 

5. Mr. Rothstein said medical device companies are also introducing "coordinated disclosure" policies, which allow researchers to report any vulnerabilities to the company, instead of making them public and inviting hackers to take advantage of the security flaw before it is fixed.

6. At present, there are no known cases of hacked medical devices harming a patient, according to Mr. Rothstein.

© Copyright ASC COMMUNICATIONS 2021. Interested in LINKING to or REPRINTING this content? View our policies by clicking here.