Health care facilities should protect themselves against security vulnerabilities found in two computerized drug infusion pumps manufactured by Hospira.
Hacking for harm is a topic I have written about before and I am sure cyber hacking in the digital health realm will continue, perhaps even get worse, as technologies continue to advance. The latest concern about digital health cyber hacking comes from the Food and Drug Administration, which issued a communications safety alert recently.
The alert warned health care facilities to "protect against security vulnerabilities found in two computerized drug infusion pumps manufactured by Hospira." Specifically, the devices in question are the Hospira LifeCare PCA3 and PCA5 Infusion Pump Systems.
These systems are computerized infusion pumps that have been designed to continuously deliver anesthetic or therapeutic drugs; they can be programmed remotely through a health care facility’s Ethernet or wireless network. As a result, the FDA expressed concern over the possibility of cyber hacking and issued the following statement as a result:
The FDA and Hospira have become aware of security vulnerabilities in Hospira’s LifeCare PCA3 and PCA5 Infusion Pump Systems. An independent researcher has released information about these vulnerabilities, including software codes, which, if exploited, could allow an unauthorized user to interfere with the pump’s functioning. An unauthorized user with malicious intent could access the pump remotely and modify the dosage it delivers, which could lead to over- or under-infusion of critical therapies.
The FDA says it is not aware of any patient adverse events or "unauthorized device access" related to these vulnerabilities, however, it is reminding health care facilities to practice safe "good cybersecurity hygiene" as outlined in one of its previous communications in 2013, entitled "Cybersecurity for Medical Devices and Hospital Networks: FDA Safety Communication."
The previous alert contains some very valuable information for both digital health device manufacturers and health care facilities. The information bears repeating if you or someone you know is working in this space.
Recommendations for industry
Manufacturers are responsible for remaining vigilant about identifying risks and hazards associated with their medical devices, including risks related to cybersecurity, and are responsible for putting appropriate mitigations in place to address patient safety and assure proper device performance. - FDA
The FDA went on to say that it "expects medical device manufacturers to take appropriate steps to limit the opportunities for unauthorized access to medical devices. Specifically, we recommend that manufacturers review their cybersecurity practices and policies to assure that appropriate safeguards are in place to prevent unauthorized access or modification to their medical devices or compromise of the security of the hospital network that may be connected to the device. The extent to which security controls are needed will depend on the medical device, its environment of use, the type and probability of the risks to which it is exposed, and the probable risks to patients from a security breach."
In evaluating their device, the FDA recommends manufacturers consider the following:
- Limit unauthorized device access to trusted users only, particularly for those devices that are life-sustaining or could be directly connected to hospital networks.
- Proper security controls may include user a) verification such as a user ID and password, smartcard or biometric; b) reinforcing password protection by avoiding hard-coded passwords; and, c) restricting public access to passwords used for technical device access, physical locks, card readers and guards.
- Protect individual components from exploitation and develop strategies for proactive security protection appropriate for the device usage. Strategies should include timely deployment of routine, validated security patches and methods to restrict software or firmware updates to authenticated code. The FDA says it typically does not need to review or approve medical device software changes made solely to strengthen cybersecurity although the agency is obviously taking a very keen interest by issuing these recommendations.
- Use approaches to design that maintain a device’s main functionality, even when security has been compromised, known as “fail-safe modes.”
- Deliver methods for retention and recovery after security has been compromised.
Cybersecurity incidents are increasingly likely and manufacturers should consider incident response plans that address the possibility of degraded operation and efficient restoration and recovery. - FDA
Security protection for health care facilities
The FDA recommends that hospitals and health care facilities include the following steps in their anti cyber-hacking protocols:
- Restrict unauthorized access to the network and networked medical devices.
- Make sure all of the appropriate antivirus software and firewalls are up-to-date and regularly maintained.
- Monitor network activity for any possible unauthorized use.
- Protect individual network components through regular and periodic evaluations, including the updating of security patches as well as disabling all unnecessary ports and services.
- Contact specific device manufacturers if you think you may have a cybersecurity problem related to help you with reporting vulnerabilities and resolving the problem.
- Develop and evaluate mechanisms to maintain "critical functionality" during adverse conditions.
Back in the day, and not too long ago either, proper hygiene in hospitals meant following traditional cleaning and hygiene protocols to prevent the spread of infection or disease. My how things have changed; now facilities must develop cyber hygiene protocols as well. As if there were not enough things to worry about in modern medicine these days.
Still, I think this alert from the FDA is an important and timely reminder that for all of its benefits, digital health and digital health devices are vulnerable to attack, which can only mean an increase in risk for patients and physicians alike. It's in everyone's interest to pay attention to warnings such as these and keep the conversation going.
Not doing so could affect the health and well-being of our health care facilities and the lives of many people in an already compromised state.
Top photo: David Pacey
The nuviun blog is intended to contribute to discussion and stimulate debate on important issues in global digital health. The views are solely those of the author.