Hoping to strengthen the security of medical devices, the Food and Drug Administration today issued a new series of guidelines for manufacturers. The document was released to encourage companies to mitigate viruses and malware on devices such as defibrillators, insulin pumps and pacemakers before they reach patients.
While no company was called out, the FDA outlined general recommendations.
Manufacturers are expected to review their cybersecurity practices, ensure only trusted users can access their devices, and improve security controls like user IDs and passwords. In addition to device manufacturers, health care facilities are also reminded in the memo to properly update their antivirus software, restrict their network to authorized users and work one on one with device manufacturers when a problem surfaces.
The warnings come after several devices have been found vulnerable to hacks. Since most of them include what the FDA calls “configurable embedded computer systems,” the smaller devices could fall victim to hackers, like any desktop or laptop computer.
The FDA makes a point to assert that it’s not aware of any deaths or injuries associated with these vulnerabilities or malfunctions. The group just calls cybersecurity incidents “increasingly likely,” making the the note from the FDA really more of a siren call than a mandate for manufacturers.
The way the agency works, the FDA doesn’t have to review or approve any software changes that are made in order to improve cybersecurity. It also notes that the guidance documents are just that – guidance – they “do not establish legally enforceable responsibilities.”
The medical device and health care sector has seen a sizeable chunk of threats over the last few years but this is one of the first general warnings to come down from a specialized government agency.
Earlier this year noted researchers Billy Rios and Terry McCorkle hit the conference circuit to share details about a handful of vulnerabilities they discovered that affect medical products. One such vulnerability, a problem with an x-ray processing machine made by Philips’ could cause the machine to get owned. According to the pair at Digital Bond’s Security Scientific Symposium (S4) Conference in January, the FDA was just beginning to intervene.
Barnaby Jack, now the Director of Embedded Device Security at IOActive, Inc. unearthed bugs in 2012 that could send a lethal shock to some pacemakers and in 2011 was able to find a way to wirelessly take control of a Medtronic insulin pump.
The Government Accountability Office sent a similar warning to the FDA about recognizing the safety of medical devices last October, asking it do more to address their electronic complexities. At the time the GAO asked the FDA to “develop and implement a plan expanding its focus on information security risks.” It seems now the FDA is doing just that.