Look for More FDA Medical Device Security Alerts in 2016Security Researcher Kevin Fu Addresses Risks of Legacy Equipment
Healthcare organizations should expect the Food and Drug Administration to issue more cybersecurity alerts about medical devices in the year ahead, security researcher Kevin Fu predicts.
This year, the FDA and the Department of Homeland Security took steps to raise awareness of the cybersecurity risks posed by medical devices. That includes the FDA issuing a warning in August urging healthcare organizations to discontinue the use of a family of medical devices from Hospira due to safety concerns related to cybersecurity issues (see FDA: Discontinue Use of Flawed Infusion Pumps).
"I think you are going to see more of these product advisories," says Fu, director of the Archimedes Research Center for Medical Device Security at the University of Michigan. "No one likes to talk about it in public, but the fact is we have a lot of legacy equipment where cybersecurity wasn't part of the early design requirements," he says in an interview with Information Security Media Group.
"So you're likely to see other medical devices, [including] bedside devices, being affected [by potential cybersecurity issues], because if it's as easy as breaking down an open door, now that our all open doors are connected to the Internet, or have pathways to the Internet ... it becomes a significant hazard that could affect patient safety."
Legacy Device Woes
Many of the cybersecurity risks facing legacy medical devices are associated with malware affecting older operating systems and other unpatched software that still runs on those devices, he says. "There's a large amount of old equipment, old software [installed at hospitals] that are naturally susceptible to old malware," he says. "So, malware from 10 years ago doesn't get into too many places, except hospitals."
In the interview (see audio link below photo), conducted at a recent privacy and security forum hosted in Boston by the Healthcare Information Management and Systems Society, Fu also discusses:
- Steps medical device makers should take to build cybersecurity into their products, rather than treating security issues as an after-thought;
- Steps that hospitals and other healthcare organizations can take to improve the cybersecurity of medical devices running in their environments;
- How hospitals can better balance clinician demand for using certain preferred medical devices against the cybersecurity risks involved.
Fu is associate professor of electrical engineering and computer science at the University of Michigan, where he directs the Archimedes Research Center for Medical Device Security. Previously, he served as an associate professor of computer science and adjunct associate professor of electrical and computer engineering at the University of Massachusetts, Amherst. Fu also has served as a visiting scientist at the Food and Drug Administration, the Beth Israel Deaconess Medical Center, Microsoft Research and Massachusetts Institute of Technology Computer Science and Artificial Intelligence Lab. He also serves as chief scientist at malware-detection start-up firm, Virta Labs. He's a member of the National Institute of Standards and Technology Information Security and Privacy Advisory Board.