Welcome back to our customary appointment with the news from Dispotech, your disposable excellence. Today we have the translation of an interesting interview for our readers that appeared on the American website lexology.com. It concerns the link between medical devices and cybersecurity.
In fact, once they are on the market, the majority of medical devices – from insulin pumps and pacemakers to defibrillators – is increasingly more dependent on wireless connections and internet connectivity. However, it is only fair to stress that internet connections make devices vulnerable, and expose them to tampering, hacking, and viruses; especially if you consider that medical devices are often connected to the entire network of a hospital and can be used as a medium to access sensitive data and/or penetrate the entire hospital structure. It is a delicate problem that is not to be underestimated. In the United States, this situation has become a veritable national torment with which the prestigious Food and Drug Administration is dealing, that American governmental agency in charge of overseeing and merchandising all that which regards drugs (including medical devices) and the foods that end up in kitchen cabinets in America.
The following is a translation of the first part of an interview with Jodi Scott, member of the FDA who takes stock of the risks to which medical devices connected to internet are exposed, how these can be harmful to the health and safety of patients and how manufacturers can keep the risks of hacking in check.
For a while now, the FDA has been speaking out about the problem of cybersecurity with medical devices. What drove the agency to make these declarations?
“In this day and age where everything is connected to internet, many take for granted that cybersecurity is nothing to worry about: the average user thinks that ‘all the necessary precautions have been taken and installed in the product software at the moment the equipment was assembled’. However, the majority of companies have put products on the market with short (or long) product lives, where technology that is able to hold off attacks from the web is simply not found. It is only logical that many devices are unequipped with antivirus software and are easily “breached”.
Many companies pretend not to see it but in actuality, the debate on cybersecurity has been going on for almost twenty years. The most naïve think that no one would have the heart to interfere with the medical devices of sick people, however we find ourselves dealing with problems like this in enormous quantities: today’s hackers breach medical equipment for illicit purposes or simply to test their ability and see if they are able to break into the software.
What type of checks would you recommend for medical devices that have just been put on the market?
“By and large, we tell our customers – those who work in development and design, as well as those who distribute the products – to step back and make all the necessary checks on cybersecurity, and see how they are managing risks. Some companies admit that they have a few weaknesses and are trying to reduce the product’s vulnerability to a bare minimum. Others, however, promise they will deal with it later, procrastinating: and what if something happens while you are taking time to do research and solve the problems?”
What are the problems that concern the FDA the most?
“There are several. I’ll try to give you an example.
Let’s imagine that there is a vulnerable point in a device regarding cybersecurity: that’s where a virus tries to work its way into the software. If the hospital hasn’t loaded an anti-virus onto the system – and there are many hospitals that don’t use this type of software because they maintain that it slows down machinery performance – that virus is able to travel unhindered throughout the entire hospital network and infect it. This virus creates a “door” through which anybody can enter and exploit sensitive data. An ill-intentioned person that enters the main “door” can move in any direction: they might enter the remote control of any medical device in the hospital and tamper with it. For example, they can search for the personal data of a patient, or change medication normally administered in order to harm that patient; or even turn off a device that is keeping somebody alive whose very existence depends on a machine. This might sound like science fiction to readers: believe us when we say that the problem is real and even more serious than it seems. This last aspect is what concerns the FDA the most. We are working hard to ensure data integrity and to give a face to those who control the devices.”
The translation of our interview continues with next week’s article.
What’s your take on the situation? Had you already heard of cybersecurity for medical devices? If you’d like an explanation or to have your say, contact Dispotech, your disposable excellence.