Federal regulators are fervently trying to protect you from something worse than a hacker stealing your personal data: a hacker taking your life.
The Food and Drug Administration took its first enforcement action related to lax cybersecurity of a medical device after it discovered hackers could take control of certain infusion pumps. In doing so, it put the device industry on notice that it needs to improve its safeguards, experts said.
The agency warned hospitals Friday that the Hospira infusion pump series called Symbiq is susceptible to a cyberattack and they should immediately switch to another pump.
No pumps have been hacked and no patients have been harmed, Hospira said. In addition, experts say they are not aware of any hacking incidents involving medical devices.
Patients shouldn’t be afraid to use such devices since they can save your life, said Kevin Fu, associate professor at the University of Michigan and a device cybersecurity expert.
But the latest warning signals the FDA is taking security seriously and “will not hesitate to intervene if the manufacturers are unable to address cybersecurity risk meaningfully,” he said.
The agency in recent years has moved quickly on cybersecurity, which is outside of its expertise. In May, it put out a regulatory guidance with advice for device makers on how to protect their products.
Of particular concern are infusion pumps, which are an attractive target for hackers, Fu said. The pumps, which deliver fluids such as nutrients and medications, are ubiquitous in healthcare facilities and are easier to hack than more complex devices such as defibrillators or pacemakers, he said.
While cybersecurity has been a vital part of the computing industry for decades, it is still new to medical devices.
Jay Radcliffe knows firsthand the vulnerability of medical devices. In 2011, he hacked into his own insulin pump to show how unprotected devices can be.
“In 2011 it wasn’t on anybody’s radar,” said Radcliffe, senior security consultant for the security firm Rapid7. He added that companies and regulators didn’t know how “connected these devices were going to become.”
The FDA rejected any connection between the warning and the recent hack of the Office of Personnel Management, which compromised the personal data of more than 22 million government workers, friends and family.
The agency has been aware of the cybersecurity vulnerabilities since last year and was working with Hospira to address the problem with its Symbiq pump systems, according to spokeswoman Angela Stark.
But independent researcher Billy Rios released new information on the cybersecurity flaws in June, namely that a hacker could remotely operate the pump.Hospira started to retire the Symbiq line in 2013 and was transitioning hospitals to another system. But the FDA and the Department of Homeland Security called for a much faster transition in light of the security flaws.
View the original content and more from this author here: http://ift.tt/1ICVR80
from cyber security caucus http://ift.tt/1MJmBL1
via IFTTT
No comments:
Post a Comment