The presence of malware is sometimes only discovered when someone notices that the system is lethargic or there is some issue with device performance. With this new guidance the FDA is trying to kick-start the process so cyber security concerns are integrated into the planning stages of production and systems are in place to check for and respond to cyber threats. “We don’t want to wait for that point where a device is performing inappropriately,” Maisel says. “We want device-makers and hospitals to be proactive.”
Being proactive, however, can be a tall order. Just as a home computer can run into issues when downloading the latest updates, hooking hospital systems up to the latest security patches—a step named in the guidance—comes with the risk of temporarily harming the system while kinks get worked out. In the past some companies advised against getting updates to the system for just that reason. “If you break an important medical scanner because you rolled out a patch, that’s just as bad as having malware since the device is now unavailable,” says Bryan Gulachenski, interim executive director at StopBadware, a nonprofit anti-malware organization. Cyber security experts agree that a large part of this process will be manufacturers and hospitals educating themselves.
As manufacturers strive to incorporate traditional cyber-security protection techniques into medical devices including pacemakers, medical scanners and life-sustaining machinery, another balancing act needs to be struck: how to adequately protect emergency care devices while creating situations where caregivers can quickly bypass the need for pass codes to provide immediate care. “That is a very real concern. When I log into my e-mail account on a Web site, if I type my password wrong three times, it locks me out. That’s okay. That’s not okay for a medical device,” Fu says. Companies looking at this issue will need to build in flexibility for these realities, he adds.
Some companies have already been strategizing about how to create these safeguards, says Mike Ahmadi, a consultant medical device security expert. Medical device companies remain hesitant to market their products as being secure, because they do not want to invite attacks on their systems from hackers who like a challenge, he says. “I know a couple pacemakers who are doing a more than adequate job, but none are going to come forward and say we have a secure device and you should buy it for that reason.” Advertising about security, he says, can also be a matter of liability if the system is compromised.
For now, it’s a matter of managing risk. “There’s always going to be malware. It’s just like the U.S. Centers for Disease Control doesn’t try to eliminate every disease—it tries to control them. It’s the same with malware—the cat’s out of the bag and it’s out there,” Fu says. “At this point there are no meaningful controls for malware and for the most part we rely on hope; the problem is there are too many entry points to enumerate.”