The FBI today released recommendations to help protect medical devices from cyberattacks that can threaten health care operations, patient safety, and data privacy and integrity, citing a growing number of unpatched medical device vulnerabilities.

“This past June, the AHA issued a letter of support to Congress for pending legislation known as the PATCH Act,” said John Riggi, AHA’s national advisor for cybersecurity and risk. “The letter echoed the need for medical device manufacturers to implement increased cybersecurity requirements for medical devices. Cyber vulnerabilities in medical devices, often containing outdated legacy technology, have posed a significant cyber risk to hospitals. In 2017, the FBI reported that the North Korean WannaCry global health care ransomware attack was fueled by vulnerabilities in medical devices.  

“The pending legislation would require medical device manufacturers to monitor and identify post-market vulnerabilities in a timely manner, develop a plan for coordinated vulnerability disclosure, provide lifetime cybersecurity support of the device and provide an accounting of all software contained in the device, including third party software. 

“In the interim, it is good practice to increase cybersecurity requirements in medical device and medical technology business associate agreements. An excellent resource for medical technology model contract language can be found here.”

For more information on this or other cyber and risk issues, contact Riggi at jriggi@aha.org.

Related News Articles

Headline
The Department of Health and Human Services’ Health Sector Cybersecurity Coordination Center Nov. 21 warned of a human-operated ransomware threat targeting…
Headline
Philips has reported two potential issues with Respironics Trilogy ventilators that were recalled in June 2021 and reworked, the Food and Drug Administration…
Headline
The FBI, Cybersecurity & Infrastructure Security Agency, and Department of Health and Human Services yesterday recommended actions to reduce the risk of…
Headline
The Cybersecurity & Infrastructure Security Agency and FBI today advised organizations to protect VMware Horizon servers from a Log4Shell…
Headline
The Cybersecurity & Infrastructure Security Agency encourages OpenSSL users and administrators to upgrade to version 3.0.7 to patch two high-severity…
Headline
The Food and Drug Administration yesterday revised its emergency use authorizations for all COVID-19 antigen tests to authorize serial testing and require…