Moebius and federal authorities, in their several statements about medical-device cybersecurity vulnerabilities, insist there are no known instances in which a vulnerability has been exploited by hackers to attack or harm patients.
But that doesn't mean an attack can't happen, said Michael “Mac” McMillan, CEO of security consulting firm CynergisTek. When a hospital system buys 500 hackable pumps or monitors that it connects to its IT network, it introduces 500 more places where that network is at risk, he warned.
The feds, providers and the devicemakers have known about these vulnerabilities for years, and providers have complained about them, McMillan said. The problem with the feds' response so far is that it's had “no teeth,” he said.
The Food and Drug Administration in 2013 that it had learned of “cybersecurity vulnerabilities and incidents that could directly impact medical devices or hospital network operations” and issued advice on how providers could protect themselves.
Earlier this month, the FDA followed up, issuing a final guidance asking medical-device makers to address cybersecurity issues during product development and to monitor the devices once they're on the market.
“The FDA guidance is just that, a guidance,” McMillan said. Manufacturers and providers are not obliged to follow it.
Security standards to address the vulnerabilities exist, he said. What's needed is an enforceable system similar to the one used with electronic health-record systems under the EHR incentive payment program that would test and certify devices for compliance to those security standards, and then mandate their use, McMillan said.
The latest report on possible vulnerabilities identified Homeland Security's Industrial Control Systems Cyber Emergency Response Team as conducting the review.
The agency is working with manufacturers to find and fix “bugs and other vulnerabilities that hackers can potentially use to expose confidential data or attack hospital equipment,” .
In June 2013, the response team that researchers identified approximately 300 medical devices from about 40 vendors with password vulnerabilities.
Devices at risks included surgical and anesthesia devices, ventilators, drug infusion pumps, external defibrillators, patient monitors and laboratory and analysis equipment.
Follow Joseph Conn on Twitter: