FBI recommends action to protect vulnerable medical devices from cyberattacks

Sep 12, 2022 - 03:20 PM
Cybersecurity woman IT professional

The FBI today released recommendations to help protect medical devices from cyberattacks that can threaten health care operations, patient safety, and data privacy and integrity, citing a growing number of unpatched medical device vulnerabilities.

鈥淭his past June, the AHA issued a letter of support to Congress for pending legislation known as the PATCH Act,鈥 said John Riggi, AHA鈥檚 national advisor for cybersecurity and risk. 鈥淭he letter echoed the need for medical device manufacturers to implement increased cybersecurity requirements for medical devices. Cyber vulnerabilities in medical devices, often containing outdated legacy technology, have posed a significant cyber risk to hospitals. In 2017, the FBI reported that the North Korean WannaCry global health care ransomware attack was fueled by vulnerabilities in medical devices.  

鈥淭he pending legislation would require medical device manufacturers to monitor and identify post-market vulnerabilities in a timely manner, develop a plan for coordinated vulnerability disclosure, provide lifetime cybersecurity support of the device and provide an accounting of all software contained in the device, including third party software. 

鈥淚n the interim, it is good practice to increase cybersecurity requirements in medical device and medical technology business associate agreements. An excellent resource for medical technology model contract language can be found .鈥

For more information on this or other cyber and risk issues, contact Riggi at jriggi@aha.org.

Related News Articles

Headline
CISA releases guidance following reported legacy Oracle cloud breach
The Cybersecurity and Infrastructure Security Agency April 17 released guidance to reduce risks associated with a reported breach of Oracle cloud services.鈥
Headline
Agencies issue guidance on navigating deceptive online recruitment of current and former federal employees
The National Counterintelligence and Security Center, the FBI, and the Defense Counterintelligence and Security Center yesterday released guidance on鈥
AHA Cyber Intel
[Updated] 3 Must-know Cyber and Risk Realities: What鈥檚 Ahead for Health Care in 2025
While the rate of cyberattacks on hospitals has risen dramatically, the severity of the impacts has also grown exponentially. Let鈥檚 look at the state of cyber鈥
Headline
House subcommittee holds hearing on cybersecurity vulnerabilities in legacy medical devices
The House Energy and Commerce Oversight and Investigations Subcommittee April 1 discussed cybersecurity threats in legacy medical devices during a hearing. The鈥
Headline
AHA blog: Can collaborative efforts to improve device design improve safety?
Despite elegant efforts to design for safe use, rigorous standards and regulatory requirements, and lots of training of health care professionals, there鈥檚鈥
Headline
Administration extends national emergency for cyber threats
The Trump Administration March 28 announced that it renewed for one year the public emergency for ongoing malicious cyber-enabled activities against the U.S.鈥