DHS Issues Guidance on Protecting Hospital Medical Equipment From Cyber Attacks
The Department of Homeland Security (DHS) is warning that roughly 300 medical devices from about 40 vendors could be vulnerable to hacking.
The alert was issued Thursday and indicated the vulnerability could be exploited to potentially change critical settings and/or modify device firmware. The affected devices are manufactured by a broad range of vendors and fall into a broad range of categories including but not limited to surgical and anesthesia devices, ventilators, drug infusion pumps, external defibrillators, patient monitors, and laboratory and analysis equipment.
DHS noted, however, that ICS-CERT and the FDA are not aware that this vulnerability has been exploited, nor are they aware of any patient injuries resulting from this potential cybersecurity vulnerability.
ICS-CERT is currently coordinating with multiple vendors, the FDA, and the security researchers to identify specific mitigations across all devices. In the interim, ICS-CERT recommends that device manufacturers, healthcare facilities and users of these devices take proactive measures to minimize the risk of exploitation of this and other vulnerabilities. The FDA has published recommendations and best practices to help prevent unauthorized access or modification to medical devices. These include:
- Take steps to limit unauthorized device access to trusted users only, particularly for those devices that are life-sustaining or could be directly connected to hospital networks. Appropriate security controls may include: user authentication, for example, user ID and password, smartcard or biometric; strengthening password protection by avoiding hardâ€‘coded passwords and limiting public access to passwords used for technical device access; physical locks; card readers; and guards.
- Protect individual components from exploitation and develop strategies for active security protection appropriate for the device’s use environment. Such strategies should include timely deployment of routine, validated security patches and methods to restrict software or firmware updates to authenticated code. Note: The FDA typically does not need to review or approve medical device software changes made solely to strengthen cybersecurity.
- Use design approaches that maintain a device’s critical functionality, even when security has been compromised, known as “fail-safe modes.”
- Provide methods for retention and recovery after an incident where security has been compromised. Cybersecurity incidents are increasingly likely and manufacturers should consider incident response plans that address the possibility of degraded operation and efficient restoration and recovery.
For healthcare facilities: The FDA is recommending that you take steps to evaluate your network security and protect your hospital system. In evaluating network security, hospitals and healthcare facilities should consider:
- Restricting unauthorized access to the network and networked medical devices.
- Making certain appropriate antivirus software and firewalls are up-to-date.
- Monitoring network activity for unauthorized use.
- Protecting individual network components through routine and periodic evaluation, including updating security patches and disabling all unnecessary ports and services.
- Contacting the specific device manufacturer if you think you may have a cybersecurity problem related to a medical device. If you are unable to determine the manufacturer or cannot contact the manufacturer, the FDA and DHS ICS-CERT may be able to assist in vulnerability reporting and resolution.
- Developing and evaluating strategies to maintain critical functionality during adverse conditions.
If you appreciated this article and want to receive more valuable industry content like this, click here to sign up for our FREE digital newsletters!
Leading in Turbulent Times: Effective Campus Public Safety Leadership for the 21st Century
This new webcast will discuss how campus public safety leaders can effectively incorporate Clery Act, Title IX, customer service, “helicopter” parents, emergency notification, town-gown relationships, brand management, Greek Life, student recruitment, faculty, and more into their roles and develop the necessary skills to successfully lead their departments. Register today to attend this free webcast!