United States: Defense Is Your Best Medicine: Stop Cyberattacks

Vaccines, preventative medicines, medical screening and the body's own immune system are all designed to help safeguard against health issues before they occur. If only the same safeguards were applied in the area of cybersecurity involving medical devices and hospital wide systems, potential liability exposure would be greatly reduced. FDA has now posted specific recommendations for manufacturers and hospital organizations to follow in order to minimize cyberattacks.  FDA issued these recommendations against the backdrop of its draft Guidance for premarket submission for medical devices and the cybersecurity issues that accompany these submissions.

There has been an enormous increase in the development and use in the industry of wireless, Internet and network devices. Moreover, the interconnection of systems in the hospital setting has allowed for the liberal exchange of health information. FDA has "become aware of cybersecurity vulnerabilities and incidents that could directly impact medical devices or hospital network operations". Examples of this include, but are not limited to: medical devices connected to networks that are infected with malware and hospital computer systems, smart phones and other technology where malware has infiltrated and obtained patient information in databases, implanted devices and patient monitoring systems. However, FDA reports that it is "not aware of any deaths or injuries associated with these incidents".

In making its recommendations, FDA stated that "many medical devices contain configurable embedded computer systems that can be vulnerable to cybersecurity breaches". Moreover, FDA noted that many devices are "interconnected" to various networks in the hospital and thus subject to attack.

While the FDA has proposed its Guideline and recommendations, there are no rules that a manufacturer or hospital can follow to protect them from the significant liability that exists with a cybersecurity breach. It is left totally in the hands of the organization to address this issue. It is clear, however, that in order to reduce this significant and growing risk, actions must be taken to create and implement a cybersecurity system. At a minimum, the FDA recommendations provide some very basic ground rules.

In its posting, FDA recommends "evaluating" the security in network systems by:

1. Restricting unauthorized access to the network and networked medical devices.
2. Making certain appropriate antivirus software and firewalls are up-to-date.
3. Monitoring network activity for unauthorized use.
4. Protecting individual network components through routine and periodic evaluation, including updated security patches and disabling all unnecessary ports and services.
5. Containing the specific device manufacturer if you think you may have a cybersecurity problem related to a medical device. If you are unable to determine the manufacturer or cannot contact the manufacturer, the FDA and DHC ICS-CERT may be able to assist in vulnerability reporting and resolution.
6. Developing and evaluating strategies to maintain critical functionality during adverse conditions.


Compromising the confidentiality and integrity of the information that is subject to cyberattack is tantamount to compromising patient safety. Accordingly, the potential risks from cyberattacks demand attention and a cybersecurity plan should be of the utmost importance to manufacturers and healthcare systems.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.