Medical devices vulnerable to cyberattack
The US Food and Drug Administration has just launched an alert on the vulnerability of medical devices to hackers’ attacks, that can take their control from remote, changing their functions with consequent malfunctioning and life threats for patients depending on them. The US State Department infrastructure dedicated to cybersecurity also published an alert document on this regard in July.
In Europe, the German regulatory affairs agency BfArM also published information on the vulnerabilities presented by MR machines and patient monitors; German big MD manufacturers did the same, pointing out those among their systems that could be at higher risk of cyberattack.
Information security can then be applied also to medical devices: the FDA document – called URGENT/11 – identified the operating systems at risk in devices, and manufacturers are already examining them to take appropriate preventing and solving actions; in some cases, they are also informing their customers with devices at risk (e.g. imaging systems, infusion pumps, anaesthesia machines, etc.).
In the meantime, the FDA is offering continuous assistance to manufacturers, and recommended a series of measures including carrying out risk assessments and collaboration with the operating system supplier to identify any possible update making the attacks more difficult.
The Agency also suggested a strict cooperation with manufacturers and healthcare providers and facilities to determine which devices are concerned and find new methods to ensure risk reduction.
Healthcare facilities have in turn started consulting programs for patients using devices potentially targeted by cyberattacks, while health professionals have been ordered to monitor network traffic and register any sign of system violation.
Insiders’ opinion is very different: cybersecurity experts consider the FDA recommendations as not very practical. Neither doctors nor patients would be able to identify information issues in the device functioning: for this reason they hope that information security teams will be restored in hospitals and other facilities, as they would be able to act promptly based on definite information and specific competence.
