On June 13th the U.S. Food and Drug Administration issued a cybersecurity advisory statement addressing the need for increased focus on security in medical devices and hospital networks. The statement is no surprise as it follows a more than a year of mounting pressuring and increasing evidence that the health-care sector is among the most vulnerable to hackers. Not only are they vulnerable but the data that typical medical networks contain is highly sensitive, Chris Wysopal outlined this in a recent interview with Fox News. And of course there's also the fact that a medical device not working as it should can be the difference between life and death.
There's no argument that the need for more security is apparent and imperative so we applaud the FDA for taking these first steps in remediating the problems at hand. The advisory statement recommends the following steps for medical device manufacturers;
- Take steps to limit unauthorized device access to trusted users only, particularly for those devices that are life-sustaining or could be directly connected to hospital networks.
- Protect individual components from exploitation and develop strategies for active security protection appropriate for the device’s use environment. Such strategies should include timely deployment of routine, validated security patches and methods to restrict software or firmware updates to authenticated code. Note: The FDA typically does not need to review or approve medical device software changes made solely to strengthen cybersecurity.
- Use design approaches that maintain a device’s critical functionality, even when security has been compromised, known as “fail-safe modes.”
- Provide methods for retention and recovery after an incident where security has been compromised.
And for health care facilities;
- Restricting unauthorized access to the network and networked medical devices.
- Making certain appropriate antivirus software and firewalls are up-to-date.
- Monitoring network activity for unauthorized use.
- Protecting individual network components through routine and periodic evaluation, including updating security patches and disabling all unnecessary ports and services.
- Contacting the specific device manufacturer if you think you may have a cybersecurity problem related to a medical device. If you are unable to determine the manufacturer or cannot contact the manufacturer, the FDA and DHS ICS-CERT may be able to assist in vulnerability reporting and resolution.
- Developing and evaluating strategies to maintain critical functionality during adverse conditions.
We encourage you to review and read the entire advisory at fda.gov, if you have any questions regarding what your organization should do, please reach out to us!