The U.S. Food and Drug Administration asked medical-device makers to fortify products against hackers and malware Thursday, citing a recent uptick in cybersecurity incidents affecting equipment such as patient monitors and imaging devices.
In the guidance, officials asked companies to develop security controls that would protect the confidentiality and integrity of data and limit malfunctions in the event of computer viruses, which they said could lead to patient harm.
For the first time, officials also recommended that device makers, when they seek approval to market their products, prepare for cyberattacks that intentionally target devices. They separately asked hospitals to look out for cybersecurity failures, which are often difficult to detect and go unreported.
"Over the last year we've seen significantly more noise related to cybersecurity issues, both with the identification of vulnerabilities and with actual incidents," said Bill Maisel, deputy director for science at the FDA's Center for Device and Radiological Health. He said the agency had received reports of cybersecurity incidents involving radiology equipment and a fetal monitoring device.
One reason for the increase is that devices are increasingly interconnected. Devices in intensive-care units, hospital rooms and operating theaters are tethered to medical networks that in turn connect to the Internet, opening the door for viruses to reach the devices.
The FDA said it didn't know of deaths or injuries linked to the problems. But "it's not difficult to imagine how these types of events could lead to patient harm," Dr. Maisel said.
Though security researchers have demonstrated that they can hack devices such as insulin pumps and defibrillators in laboratories, most device cybersecurity incidents are "collateral damage" in which viruses accidentally find their way across the Internet to computerized devices, Dr. Maisel said.
"The biggest risk in the short term is the simple inability to give patients care," said Kevin Fu, a security researcher at the University of Michigan. For instance, viruses could disrupt the integrity of data or overload processors, leaving hospitals with temporarily inoperable equipment that might be needed for urgent treatments, he said.
"We, like all other industries, live in a cybersea," said Bernie Liebler, a quality-assurance official at the device industry group AdvaMed. He said device makers had been preparing for cybersecurity issues for years but that the probability of such instances was low.
Companies acknowledged the threat but declined to discuss specific incidents. Medtronic Inc., a maker of pacemakers and defibrillators, said in a statement that "the benefits of the therapy outweigh these risks." No instance of a cyberattack on an implantable device has been documented, but Medtronic has consulted with security firms such as Symantec Corp. and Wurdltech Security Technologies Inc.
General Electric Co., which manufacturers imaging devices such as CT scanners, "takes data privacy very seriously and continuously monitors our security systems and procedures to reduce risk against threats in the environment," a spokesman said in a statement.