FDA, facing cybersecurity threats, tightens medical-device standards


The security analysts wanted to know how easy it would be to hack into medical devices used in hospitals, knowing the danger if outsiders could gain control. They found the answer when they managed to figure out hundreds of passwords for equipment that included surgical and anesthesia devices, patient monitors and lab analysis tools.

“We stopped after we got to 300,” said Billy Rios, who found the passwords with his colleague Terry McCorkle.

They alerted the federal government about what they had done, contributing to the Food and Drug Administration’s decision to tighten the standards for a wide range of medical devices. The FDA’s move, announced Thursday, reflects growing concerns that the gadgets — which include everything from fetal monitors used in hospitals to pacemakers implanted in people — are vulnerable to cybersecurity breaches that could harm patients.

Computer viruses and other malware increasingly are infecting equipment such as hospital computers used to view X-rays and CT scans and devices in cardiac catheterization labs, agency officials said. The problems cause the equipment to slow down or shut off, complicating patient care. As more devices operate on computer systems that are connected to each other, a hospital network and the Internet, the potential for problems rises dramatically, they said.

“Over the last year, we’ve seen an uptick that has increased our concern,” said William H. Maisel, chief scientist at the FDA’s Center for Devices and Radiological Health. “The type and breadth of incidents has increased.” He said officials used to hear about problems only once or twice a year, but “now we’re hearing about them weekly or monthly.”

The FDA, in an effort to reduce the risks, for the first time is directing device manufacturers to explicitly spell out how they will address cybersecurity. The agency Thursday issued draft guidelines that, when finalized this year, will allow the FDA to block approval of devices if manufacturers don’t provide adequate plans for protecting them. The agency also issued a safety communication to manufacturers and hospitals.

In addition to viruses and malware, security risks include the uncontrolled distribution of passwords for software that is supposed to be accessed only by a few people and the failure by manufacturers to provide timely security software updates.

In a public alert Thursday, the Department of Homeland Security, which is working with the FDA, credited Rios and McCorkle — both of whom work for Cylance, a cybersecurity firm — for their research on devices and passwords. Unauthorized access to passwords could allow critical settings to be changed, affecting how devices operate and what they do, the alert said.

The two security experts created a spreadsheet listing the device passwords they obtained and the 50 manufacturers that made the equipment. The DHS and FDA are working with the manufacturers to verify whether the potential risks from the passwords “are indeed actual vulnerabilities,” Maisel said.