The FDA recently released a new warning regarding medical devices, malware and cyber-security. The recommendations are sound and reflect progress since the release of the United States Government Accountability Office report on Medical Devices citing a need for expanding information security.
Any implantable medical device has a planned lifespan for ten years because undergoing major surgery more frequently than that is really not an option. But there are all levels of medical device technology that aids in care, treatment and health monitoring to also consider. These devices must be supported from standard care situations but also have interactions in adverse events in emergency rooms at any point in time. Manufacturer diversity is also a risk factor.
The FDA urges medical device manufacturers to strengthen security and McAfee continues to provide solutions and services to build better healthcare devices. But what I see as a break-through is the broader reporting of risk with these devices which is being recommended. Most healthcare professionals know or recognize when a device is behaving ‘off’ but unless there was an adverse event there wasn’t any real guideline on how to report suspicious or possibly malware infected systems until now. This FDA release now clearly recommends:
Contacting the specific device manufacturer if you think you may have a cybersecurity problem related to a medical device. If you are unable to determine the manufacturer or cannot contact the manufacturer, the FDA and DHS ICS-CERT may be able to assist in vulnerability reporting and resolution.
The first step in fixing any problem is recognizing that there is a problem. Evolving the security management for these systems will give the manufacturers more insight into possible problems. It also gives the FDA visibility if a manufacturer is not taking action. As the medical device market continues to expand the problem of security management over the life-time of a device is a safety issue. Good to see more care, maintenance and vigilance with this problem to drive long-term security and patient care.