The Food and Drug Administration is preparing a response to a request from Colorado Rep. Diana DeGette about how it will protect medical devices from cybersecurity threats.

DeGette (D-Denver) asked the FDA for an explanation this month as the nation recovered from an Oct. 21 cyber-attack and prepared for another one during the election last week.

The Obama administration blamed both the Oct. 21 attack and the threat of a second one against the U.S. election process on Russia.

DeGette and other members of Congress are concerned cyber-attackers could route their malware through unprotected medical equipment that uses the internet.

The Oct. 21 attack that briefly shut down major websites such as Twitter and PayPal was routed through computerized devices that used default passwords for security.

As more computerized devices connect to the Internet of Things (Iot), the threat of sophisticated cyber-attacks is growing, according to members of Congress.

DeGette was joined in her request for information to the FDA by Rep. Susan Brooks (R-Ind.), Both are members of the House Energy and Commerce Committee.

Their letter to the FDA says recent news about cyber-attacks shows a need for a closer look at the cybersecurity of medical devices, especially because about 15 million of them are integrated into the nation’s digital health network.

“We have also seen recent headlines about the potential for unauthorized access in insulin pumps and implantable cardiac devices, among others,” their letter says. “As technology will undoubtedly continue to evolve at a rapid pace, we must ensure that FDA is equipped with the appropriate cybersecurity expertise and resources to evaluate not only the current risks to new medical devices but also how new threats affect the medical devices already in use.”

The Oct. 21 cyberattack that prompted the concern in Congress was targeted at the internet routing company Dyn.

The attackers sought to overwhelm internet networks with fake traffic that resulted in “denial-of-service” for some websites. Visitors to some major websites were unable to gain access until the problems were resolved.

Security experts identified the malware used in the daylong attack as Mirai, which transmits “bots” into devices connected to the IoT. The bots then multiply the signals sent through the internet.

Dyn officials said about 10 million internet protocol addresses flooded its networks.

Other congressmen sought assurances about cyber-attacks from the Federal Trade Commission (FTC), which oversees the security and fair dealings of the nation’s businesses.

U.S. Reps. Frank Pallone (D-N.J.) and Jan Schakowsky (D-Ill.), both ranking members of committees that handle commerce, asked the FTC in a recent letter to make certain manufacturers install better cybersecurity systems in their internet connected devices.

“Future devices should not be sold in the U.S. streams of commerce with deficient security mechanisms,” said the letter to FTC Chairwoman Edith Ramirez.

DeGette is hardly the first Capitol Hill insider to worry about whether the FDA was taking appropriate cybersecurity measures.

In August, the U.S. Government Accountability Office (GAO) released a report accusing the FDA of weaknesses in its data control systems that made them vulnerable to intruders.

The report said the FDA failed to fully implement a security program required by the Federal Information Security Modernization Act of 2014.

An FDA representative told The Colorado Statesman the agency has been working for several years to protect medical devices from cyber-attacks but getting the necessary cooperation from manufacturers and hospitals can be difficult.

“These types of attacks are no longer in the realm of the theoretical,” Angela Stark, an FDA spokesperson, said. “The FDA has previously communicated concerns around the use of hardcoded and default passwords in medical devices rendering them more vulnerable to unauthorized access,” especially when they are connected to the internet.

A June 13, 2013, FDA safety alert to medical device manufacturers and health care facilities cautioned them to take “appropriate safeguards” against cyber-attacks.

In August 2014, the FDA signed a memorandum of understanding with the National Health Information Sharing and Analysis Center to coordinate a nationwide cybersecurity system.

Last year, the FDA issued warnings about Hospira, Inc. infusion pump systems that are used to pump medications into the bloodstreams of patients. Their control systems could be accessed through the internet and wireless telecommunications.

Hospira said in a statement last week that “all new product releases undergo a robust testing process with both internal and third-party research. We continually assess and update our devices to combat potential vulnerabilities and maintain safety. When Hospira becomes aware of vulnerabilities, we have a rigorous process in place to assess them with internal and third-party professionals and work with our customers to put additional safeguards in place when needed.”

FDA officials said they are becoming more aggressive about blocking medical devices with computer vulnerabilities.

“We can and have delayed medical devices from coming to market until cybersecurity controls were considered adequate and residual risks were considered acceptable,” Stark said.

She also said the FDA plans to respond to DeGette’s request for information. The Colorado congresswoman asked for a reply by Dec. 16.

“The FDA has received the letter and will respond directly to Congress,” Stark said.

Other warnings about the cybersecurity threats for the medical profession came from private industry.

On Oct. 4, health product company Johnson & Johnson warned that one of its insulin pumps could overdose patients if hackers gained control over it through the internet. The company said no hack attacks were reported but they wanted to advise customers on how to stop the vulnerability.

“The OneTouch Ping insulin delivery system has multiple safeguards to protect the integrity of the pump and remains safe and reliable,” Johnson & Johnson said in a statement.

But other groups are less convinced about the cybersecurity of the U.S. health care system.

Last month, Security Scorecard, a New York City firm that rates cybersecurity, reported that 22 major cyber-attacks hit the U.S. health care industry since mid-2015, resulting in the loss of millions of patient records.

The report blamed hospitals for being slow to install cybersecurity systems.