Medical Devices, FDA IT Systems Vulnerable to Hacking
Concerns about potential security flaws in medical devices and hospital equipment are significant enough to warrant investigation by the US Department of Homeland Security.
The agency’s Industrial Control Systems Cyber Emergency Response Team is looking at weaknesses in devices, including an infusion pump from Hospira, and implantable heart devices from Medtronic and St Jude Medical, and other devices, Reuters reported recently. The US Food and Drug Administration released guidance in October urging medical device makers to test for cybersecurity vulnerabilities before and after they’re released to market.
“The conventional wisdom in the past was that products only had to be protected from unintentional threats. Now they also have to be protected from intentional threats too,” William Maisel, chief scientist at the FDA’s Center for Devices and Radiological Health, told Reuters.
But Mac McMillan, CEO of security consulting firm CynergisTek, tells Modern Healthcare that issuing guidance doesn’t go far enough, arguing that it has “no teeth.”
Instead, device makers should be incentivized to create more secure systems, similar to the way the “meaningful use” EHR Incentive Program incentivizes security standards.
Vulnerabilities in the FDA’s Own Systems
A recent security audit by the Health and Human Services Office of the Inspector General (OIG), of the FDA’s own internal IT systems weren’t quite up to snuff.
“We identified FDA web pages that did not perform adequate input validation on data entered by the user. Exploitation of this vulnerability could result in malicious input being sent from an attacker to FDA web pages to hijack a user’s web browser application, install malicious programs, or redirect users to malicious web pages,” the OIG report stated.
According to Health Data Management, the FDA fell prey to a security breach that exposed sensitive information in 14,000 user accounts.
To strengthen its systems, OIG recommended that the FDA “fix the web vulnerabilities identified, implement more effective procedures to protect its computer systems from cyberattacks, and periodically assess the security of all of its Internet-facing systems.”
Click here to read the full OIG report.