Skip to main content

    Medical devices are vulnerable to hacking, warns FDA

    Medical devices are vulnerable to hacking, warns FDA

    Share this story

    The US Food and Drug Administration has issued a warning to the healthcare industry, calling for more vigilance when it comes to protecting medical devices from hacking. Anything from Pacemakers to hospital x-ray machines are at risk, thanks to a wide array of lax cybersecurity practices like "hard-coded passwords," out-of-date software, and poorly-protected internet connections. The FDA is calling on medical device manufacturers to "take steps to assure that appropriate safeguards are in place," and is recommending that device makers submit security plans as a part of their FDA approval requests.

    "It's safe to say most medical device manufacturers are affected."

    Although the FDA says that it's not aware of any injuries or deaths as a result of hacking, a senior official told the Wall Street Journal that "We are aware of hundreds of medical devices that have been infected by malware." Ars Technica points to another report which calls attention to the issue of hard-coded passwords, issued by a group that acts as a liaison between the private industry and government on cyber security matters,. "It's safe to say most medical device manufacturers are affected," one researcher told Ars. However, right now most hacking of medical devices occurs in a more traditional way — many hospital systems use computers that can be infected with traditional viruses like Conficker,

    The FDA's recommendations for both medical device manufacturers and hospitals aren't very far off from the kinds of things that consumers have heard for years: changing passwords, monitoring network usage for anything that looks questionable, and keeping software up-to-date. On that last point, the FDA notes that it "typically does not need to review or approve medical device software changes made solely to strengthen cybersecurity."

    Unfortunately, the industry may not be inclined to quickly and forcefully address cybersecurity. Big manufacturers have been reticent to acknowledge issues, let alone fix them. "There is a real fear that, along with acknowledgment, comes increased development costs and regulatory oversight," one executive told the WSJ.