Featured Product
This Week in Quality Digest Live
FDA Compliance Features
Doug Folsom
Unpatched vulnerabilities will become increasingly susceptible to cyberattacks
Del Williams
Mitigate risk, prevent safety issues by utilizing closed conveyor systems designed with sanitation in mind
Dirk Dusharme @ Quality Digest
Companies say they plan to pull some or all of their devices
Dirk Dusharme @ Quality Digest
First step, migrate your QMS to a cloud-based electronic quality management system
Jill Roberts
Another way to know what’s too old to eat

More Features

FDA Compliance News
Showcasing tech, solutions, and services at Gulfood Manufacturing 2022
Easy, reliable leak testing with methylene blue
Now is not the time to skip critical factory audits and supply chain assessments
Google Docs collaboration, more efficient management of quality deviations
Delivers time, cost, and efficiency savings while streamlining compliance activity
First trial module of learning tool focuses on ISO 9001 and is available now
Free education source for global medical device community
Good quality is adding an average of 11 percent to organizations’ revenue growth
Further enhances change management capabilities

More News

Russ King

FDA Compliance

Cybersecurity—A Real Threat to Medical Devices

Safeguards must be implemented to protect patients

Published: Monday, August 24, 2015 - 11:36

The FDA just issued a Safety Communication on the cybersecurity vulnerabilities of the Hospira Symbiq Infusion System, which is a computerized pump designed for the continuous delivery of general infusion therapy for a broad patient population. The pump is mostly used in hospitals or other acute and non-acute health care facilities such as nursing homes and outpatient care centers. This infusion system can communicate with a Hospital Information System (HIS) via a wired or wireless connection over facility network infrastructures.

Unfortunately, it appears that it’s possible to access this pump remotely through a network, allowing unauthorized users to control the pump and change the dosage it delivers, potentially harming the patient. Although it doesn’t appear that any unauthorized access occurred with this particular product, and Hospira is no longer selling it, cybersecurity is still a real concern. Now that more and more devices are connecting remotely to healthcare networks, it will be critical for manufacturers to implement appropriate safeguards.

In June 2013, the FDA outlined good practices to follow in Cybersecurity for Medical Devices and Hospital Networks. In this communication, the FDA recommends that medical device manufacturers and health care facilities take steps to assure that appropriate safeguards are in place to reduce the risk of failure due to cyberattack.  An attack could be initiated by the introduction of malware into the medical equipment or unauthorized access to configuration settings in medical devices and hospital networks.

As medical devices rely more heavily on networked communication, cybersecurity is going to become an even greater concern. The FDA has already become aware of the following breaches:
• Network-connected/configured medical devices infected or disabled by malware
• The presence of malware on hospital computers, smartphones, and tablets, targeting mobile devices using wireless technology to access patient data, monitoring systems, and implanted patient devices
• Uncontrolled distribution of passwords, disabled passwords, and hard-coded passwords for software intended for privileged device access (e.g., to administrative, technical, and maintenance personnel)
• Failure to provide timely security software updates and patches to medical devices and networks and to address related vulnerabilities in older medical device models (legacy devices)
• Security vulnerabilities in off-the-shelf software designed to prevent unauthorized device or network access, such as plain-text or no authentication, hard-coded passwords, documented service accounts in service manuals, and poor coding/SQL injection

As a medical device manufacturer, it’s important for you to remember that it’s your responsibility to identify risks associated with your devices. The FDA expects you to take appropriate actions to limit opportunities for unauthorized access to the device. If you need assistance implementing safeguards for your devices, we can help you determine how to reduce product risk.

First published Aug. 11, 2015, on the AssurX blog.

Discuss

About The Author

Russ King’s picture

Russ King

Russ King is president of Methodsense, a consulting firm that helps clients deliver medical and technological breakthroughs by effectively meeting the requirements needed to bring their products to market.