While most eyes interested in cybersecurity for the past two weeks have been focused upon (and for good reason) the Equifax breach, the U.S. Food and Drug Administration (FDA) continued its pressure on medical device manufacturers to build security into product design — just as the U.S. Department of Homeland Security warned the medical community of eight vulnerabilities in Smiths medical wireless infusion pumps.
Let’s face it: building security into a product is certainly not a new concept. And while the software industry has fallen short, software makers have known for some time that the correct way to go is to develop software that is secure by design, secure in how it’s developed, and secure in how it’s deployed and managed in production.
Now, as software and network connectivity increasingly finds their way onto medical devices, the same need for secure development practices is more true than ever for medical implants and other devices. Suzanne Schwartz, associate director for science and strategic partnerships at the FDA’s Center for Devices and Radiological Health, recently said that the FDA is dedicated to getting everyone in the medical device industry involved in these important efforts of securing medical devices.
The FDA is working to "foster a culture of continuous quality improvement," Healthcare IT News quoted Schwartz. Schwartz explained to the publication how the FDA has adopted advice from the National Institute of Standards and Technology (NIST) and to share information among the National Health Information Sharing and Analysis Center (NH-ISAC) about the security of medical device threats and vulnerabilities.
Medical device makers had better act fast when it comes to getting their act together. In late August, the FDA issued a recall of Abbott’s pacemakers. This voluntary recall involved the same pacemakers that made news earlier this year (and covered by Business Insights in St. Jude Takes Steps to Secure Vulnerable Medical Implants), that enabled attackers to drain the battery life and alter the software on the pacemakers.
These devices exist installed into the chests of patients — needless to say the required hospital trip to fix these types of software vulnerabilities are a much greater hassle — and much more dangerous — than a computer endpoint update and reboot.
The Abbott pacemakers require new firmware, and on August 29 the FDA issued the advisory Firmware Update to Address Cybersecurity Vulnerabilities Identified in Abbott's (formerly St. Jude Medical's) Implantable Cardiac Pacemakers: FDA Safety Communication that said that
many medical devices, including St. Jude Medical's implantable cardiac pacemakers, contain configurable embedded computer systems that can be vulnerable to cybersecurity intrusions and exploits. “As medical devices become increasingly interconnected via the Internet, hospital networks, other medical devices, and smartphones, there is an increased risk of exploitation of cybersecurity vulnerabilities, some of which could affect how a medical device operates,” the FDA wrote.
“The FDA has reviewed information concerning potential cybersecurity vulnerabilities associated with St. Jude Medical's RF-enabled implantable cardiac pacemakers and has confirmed that these vulnerabilities, if exploited, could allow an unauthorized user (i.e. someone other than the patient's physician) to access a patient's device using commercially available equipment. This access could be used to modify programming commands to the implanted pacemaker, which could result in patient harm from rapid battery depletion or administration of inappropriate pacing,” the agency said.
That’s very scary stuff.
There are 465,000 of these devices implanted in the U.S. alone, according to the FDA. Fortunately, there’s no documented cases of harm coming from these vulnerabilities.
Earlier this year the FDA published a 30-page guide to help manufacturers not only identify flaws in products after they’ve shipped, but also work with bug finders who identify flaws. As we wrote then, these are also two issues traditional software makers still find challenging, but have built processes that have improved their relationship and success with security researchers.
In the blog post announcing the guidance, the FDA detailed that medical device manufacturers should implement what it called “a structured and comprehensive program to manage cybersecurity risks.” This means manufacturers should, according to the FDA:
Now, in this latest advisory, the FDA recommends Health Care Providers:
The firmware update process is detailed here.
What an awful mess. Patients shouldn’t have to worry about cybersecurity tradeoffs in their medical devices, but perhaps that’s too much to ask. But it’s clear that none of us want to see anything equivalent to a monthly patch Tuesday to the devices that help keep our bodies functioning smoothly and healthily along. But I fear that is exactly where we are heading.
George V. Hulme is an internationally recognized information security and business technology writer. For more than 20 years Hulme has written about business, technology, and IT security topics. From March 2000 through March 2005, as senior editor at InformationWeek magazine, he covered the IT security and homeland security beats. His work has appeared in CSOOnline, ComputerWorld, Network Computing, Government Computer News, Network World, San Francisco Examiner, TechWeb, VARBusiness, and dozens of other technology publications.View all posts
Don’t miss out on exclusive content and exciting announcements!