Medical Device Makers to Discuss Burgeoning Cyber Threat

Two months after drug safety regulators urged medical device manufacturers to stay alert to the risk of cyber attacks, one prominent security group said it's partnering with the industry in an effort to develop a series of benchmarks aimed at tackling the threat.

While there has yet to be a cyber catastrophe involving a health-related device reported, the Food and Drug Administration and The Center for Internet Security (CIS) said they are being proactive in trying to stop an attack before it happens.

“The mobile device provides a critical function,” said Will Pelgrin, chief executive of CIS. “It only takes the weakest link on that network to cause havoc and potentially have consequences.”

CIS began gathering the brightest minds and most active participants in the medical health sector this week in an effort to develop benchmarks designed to lower the risk of attack. Their first webcast – taking place on Sept. 5 – will hone in on insulin pumps.

Pelgrin hopes to have benchmarks for the pumps completed by the end of the calendar year, allowing the nonprofit to focus on other devices, including pacemakers and defibrillators, starting next year.

While he wouldn’t reveal all of the parties that have agreed so far to participate, he did point to the Albany Medical Center, which was the first health-care provider to join the initiative. In the past, manufacturers have willingly joined, he said.

“This is a call of action to get as many manufacturers as possible to participate in this effort with us,” Pelgrin said. “As we get [them] to the table we will see where their priorities are.”

None of the major publicity-traded device makers, including Medtronic (NYSE:MDT), Boston Scientific (NYSE:BSX), Abbott Labs (NYSE:ABT), Johnson & Johnson (NYSE:JNJ) and St. Jude Medical (NYSE:STJ), could be immediately reached for comment.

The threat of malware and breaches against all devices has been growing in recent years, but the fear of an attack is high among medical devices that are both critical to a person’s health and attached to extremely personal and identifiable information stored in health networks.

In safety notices issued in June, the FDA said it found hard-coded password vulnerabilities in about 300 medical devices, pointing to the fact that many devices contain configurable embedded computer systems that can be sensitive to a breach.

“The FDA has become aware of cyber security vulnerabilities and incidents that could directly impact medical devices or hospital network operations,” it said in the report.

While health regulators at the time acknowledged that they weren’t aware of any patient injuries or deaths associated with cyber attacks against devices, the FDA encouraged device makers to remain vigilant about identifying hazards and putting in place the necessary security controls to mitigate the vulnerability.

The move, Pelgrin said, is proactive rather than reactive, adding that in this day and age when hackers are looking in inflict harm, the industry cannot wait for a "horrific event to occur before" something is done.