FDA takes action on device cybersecurity
October 2, 2014 in Medical Technology
As Shellshock, the latest serious cybersecurity flaw, casts its shadow over healthcare, the U.S. Food and Drug Administration has finalized a set of recommendations to protect medical devices from Web-based attacks.
[See also: A security threat worse than Heartbleed]
Aimed at manufacturers, the guidance suggests device makers take serious stock of cybersecurity risk early in the design and development process – and show documentation to the FDA about the dangers they identify and the steps they’re taking to mitigate them.
The FDA also expects that manufacturers submit plans for providing patches and updates to operating systems and software as new risks crop up.
[See also: Threat matrix: Malware and hacking pose dangers to medical devices]
Shellshock, a bug that was discovered this past week and was quickly realized to be among “the worst of all time,” poses dangers to unpatched medical devices.
As one security analyst told The Washington Post, a targeted exploitation of the flaw “could allow a hacker to remotely own” technology from cellphones to medical devices.
This particular risk is fixable. The problem is that medical devices and other embedded systems depend on the vendor to make those protective patch downloadable to end users.
Many organizations “have already pushed out patches – but some appear to be stopgap fixes that do not completely resolve the problem,” according to the Post.
In the meantime, the device is left unsecured – and the next big threat or vulnerability, the successor to Heartbleed and Shellshock, lies undiscovered in some tangled mess of obscure code.
The FDA now expects medical manufacturers to consider such potential risks while designing devices, and to have a plan to redress them with system and software updates.
As medical devices and health information technology become more interoperable, devices such as smart pumps and cardiac implantations are left vulnerable to cyberattack, posing huge risks to patient safety.
“There is no such thing as a threat-proof medical device,” said Suzanne Schwartz, MD, director of emergency preparedness/operations and medical countermeasures at the FDA’s Center for Devices and Radiological Health, in a press statement announcing the new recommendations.?? “It is important for medical device manufacturers to remain vigilant about cybersecurity and to appropriately protect patients from those risks,” she added.
The agency said it knew of no indication that “specific devices or systems have been purposely targeted, nor reports that any patients have been harmed as a result of cybersecurity breaches.”
The FDA has long expressed its concerns about cybersecurity vulnerabilities, such as malware infections on network-connected devices, vendors’ failure to provide timely security updates and vulnerabilities in off-the-shelf software.
Still, many security experts have found its regulatory efforts to be lacking.
[See also: Communication breakdown?]
In a statement, Stephen Cobb, security researcher at ESET North America, said that, “while long overdue, this move by the FDA is to be welcomed.
“Any efforts to focus attention on the security and privacy aspects of medical devices should be embraced, especially in light of the rapidly expanding adoption of consumer health devices and apps, mobile health, wearable technology and telemedicine,” he added.