A new communication has been issued by the U.S. Food & Drug Administration (FDA) for medical device manufacturers. This may sound like it is out of a science fiction movie, but the threat is conceivably a serious one. The FDA is telling medical device manufacturers, as well as hospitals and health care facilities, to take steps to protect against cyberattacks, hacks and malware.
Today’s communication may sound odd, but it is potentially a serious issue for devices as they become more and more advanced. We do not want to highlight any companies over others, but the risks here are serious. Medtronic Inc. (NYSE: MDT), Boston Scientific Corp. (NYSE: BSX), St. Jude Medical Inc. (NYSE: STJ), Intuitive Surgical Inc. (NASDAQ: ISRG) and many other device makers all have to consider these risks in the future. General Electric Co. (NYSE: GE) and many other broader-based manufacturers already have taken precautions for many of their connected medical imaging and information devices.
This new FDA communication warns against unauthorized access to configuration settings in medical devices and hospital networks. Can you imagine a device being retooled maliciously, like an inserted pacemaker/defibrillator? Or imagine if a robotic surgery system was maliciously recalibrated in even a slight manner for surgeries. The list of threats is endless, when you consider that implantable devices now are literally accessible from hospitals or doctor offices by patients calling on the telephone and holding the telephone receiver up to the area where the device was inserted into the body.
The FDA said:
Many medical devices contain configurable embedded computer systems that can be vulnerable to cybersecurity breaches. In addition, as medical devices are increasingly interconnected, via the Internet, hospital networks, other medical device, and smartphones, there is an increased risk of cybersecurity breaches, which could affect how a medical device operates.
Vulnerabilities and incidents have been sent to the FDA over how these issues could impact medical devices or hospital networks. Malware on hospital computers or on connected medical devices is a threat. Simply accessing patient data is another threat. Distribution of passwords and other password protection issues are brought up. Another threat is in security software updates, as well as patches to medical devices.
The good news is that the FDA said that it is not aware of any patient injuries or deaths associated with these incidents. It also said that there is no indication that any specific devices or systems have been purposely targeted. The bad news is that this set of threats and concerns is conceivably a serious issue. If a nation or a group has no qualms about targeting military systems, communications systems, the banking systems, identity theft, counterfeiting of drugs and other criminal activities, what reason is there to consider that the would not pose a threat to targeted individuals or groups?