by Karl Kapp
A few weeks ago, the blaring of emergency sirens set off by a cyber-attack awakened citizens in Dallas, Texas. Over 156 sirens that are usually quiet and only used for emergencies were compromised when someone figured out how to set all of them off in the middle of the night. And recently the FBI has indicated that car “hacking” or the remote cyber security breaching of automobiles is a real risk. Self-driving cars and truck may even be at higher risk as the first self-driving truck made a 120 mile beer run in late 2016 and more are scheduled in the future.
And in the medical industry, health care records and personal health care information is breached at a surprisingly high rate. In fact, according to the Department of Health and Human Services (DHS) over 113 million records were hacked in 2015. The FDA is telling device manufacturers that they should consider the environment into which they release their products as a hostile environment and devices such as insulin pumps and pacemakers need to be “hardened” against possible breaches.
The medical device industry has taken head of these incidents and is working to protect medical devices from possible hacking. Recently medical device industry representatives and lawmakers met to discuss what was being done to mitigate the risk of hacking of medical devices.
The FDA recommends some of the following precautions:
- Monitoring cybersecurity information sources for identification and detection of cybersecurity vulnerabilities and risk;
- Understanding, assessing and detecting presence and impact of a vulnerability;
- Establishing and communicating processes for vulnerability intake and handling;
- Clearly defining essential clinical performance to develop mitigations that protect, respond and recover from the cybersecurity risk;
- Adopting a coordinated vulnerability disclosure policy and practice; and
- Deploying mitigations that address cybersecurity risk early and prior to exploitation.
As technology marches on, medical device manufacturers will need to take extraordinary pre-cautions to ensure that the devices used by patients are safe from would-be cyber-attacks.