In a previous post I wrote about the poor security of medical devices, and used this Bloomberg article from November 2015 to highlight the severity of the situation, and the need for the industry to fix this problem to protect patient safety and privacy. While my intent was to provide a “then and now” perspective, it was rightly pointed out by a reader that I leaned-in too much to the dated Bloomberg article, and didn’t talk enough about current efforts to address this issue. In fact, the same day of publishing the aforementioned blog, the FDA released this statement covering its roadmap to tighten security measures in medical devices. So, please read on to learn more about recent threats and research, and how the industry is responding to improved medical device security.
For starters, let’s clarify that the threat of insecure medical devices is still real and evident today. This article covers a more recent experience where Joshua Corman, a cyber security researcher, finds himself in a pickle. His daughter was admitted to a hospital after doing some blood work only to realize that the infusion pump device being used was known to be vulnerable to cyber attacks. We saw another example at the recent Black Hat conference where Billy Rios of Whitescope and Jonathan Butts of QED Secure Solutions demonstrated live sessions where they were hacking insulin pumps as described in this article.
Now, let’s review the FDA’s roadmap and see just what the plan is, and what we can expect. The linked statement does cover a timeline going back June 13, 2013 detailing the FDA’s interest in this matter.
On October 18, 2018, the FDA published the Content of Premarket Submissions for Management of Cybersecurity in Medical Devices. It is a draft providing guidance and recommendations to the industry in terms of the cyber security of device designs. It also includes the documentation that the FDA recommends be included in premarket submissions for devices with potential cyber security risks. In attempts to bring unification and recognize public concerns of the security of medical devices, the FDA is holding a public workshop on January 29–30, 2019, to address these matters. Stakeholders in the industry are to discuss in-depth the above-mentioned draft guidance along with sub-topics pertaining to the Cybersecurity Bill of Materials, which can be a critical element in identifying assets, threats, and vulnerabilities.
Also in October 2018, the FDA supported the development of the MITRE Corporation’s Medical Device Cybersecurity Regional Incident Preparedness and Response Playbook. This resource describes the types of readiness activities that health delivery organizations can utilize to better prepare for a cyber security incident involving medical devices. It also gives product developers more of an opportunity to address the potential for large scale impacts that could raise patient safety concerns. Follow this link to read more about the Medical Device Safety Action Plan put in place by the FDA.
Not only does the FDA have a track record of interests but they are also calling upon industry experts to become participants in the team to push for enhanced security. Obviously, this means that time is needed to fully see this through, building upon suggestions by experts in each domain to provide a final resource for all parties involved from device manufacturers to hospital staff in charge of procuring said devices. With collaboration on this level, ensuring accuracy and legitimacy is required to be able to still provide the benefits of these devices while offering a sense of security. All parties and stakeholders in the industry need to work together and share the burden of ensure product security.
Here are a few takeaways to help stay safe and secure in the meantime. A layered security approach is definitely the best approach. Each layer, in a layered approach, adds that much more difficulty to an attacker’s process. Another recommendation is segregating medical devices onto their own network rather than a shared network with varying workstations and other devices. This way, threats would have to hop additional security measures to get to other networks and more sensitive information.