Thursday, June 13, 2013

FDA Publishes Draft Guidance on Medical Device Cybersecurity


A screenshot of the password process for a Thoratec Left
Ventricular Assist Device (LVAD) provided to Dr. Kevin Fu by
a physician he met on an airplane. What is the hazard analysis
associated with this security mechanism?
Today the FDA issued long awaited draft guidance on medical device cybersecurity. Engineers can find the cybersecurity document at FDA's website.  The PDF is here.  There is also a safety communication from FDA on cybersecurity. My take away is that this document acknowledges that cybersecurity is a real problem rather than theoretical problem. Unlike previous guidance on cybersecurity for specific types of COTS software, this guidance spells out more detail on cybersecurity responsibilities for a medical device manufacturer ranging from hazard analysis that incorporates cybersecurity to meaningful instructions for end users on malware protection. However, the document is quite short...

I'll update the list below as new information comes in.  Here are some juicy quotes.
Computer viruses and other malware increasingly are infecting equipment such as hospital computers used to view X-rays and CT scans and devices in cardiac catheterization labs, agency officials said. The problems cause the equipment to slow down or shut off, complicating patient care. As more devices operate on computer systems that are connected to each other, a hospital network and the Internet, the potential for problems rises dramatically, they said.
  • WSJ on "Patients Put at Risk by Computer Viruses"

    “We are aware of hundreds of medical devices that have been infected by malware,” or dangerous computer software, said Bill Maisel, a senior official at the FDA’s device unit. Though the agency doesn’t know of deaths or injuries resulting from this, he said, “it’s not difficult to imagine how these types of events could lead to patient harm.”
    ...
    For instance, previously unreleased Department of Veterans Affairs records show that since 2009, malware infected at least 327 devices at VA hospitals. More than 40 viruses hit devices including X-ray machines and lab equipment made by companies such as General Electric Co., Philips N.V. and Siemens AG.

    In one case, a VA catheterization laboratory was temporarily closed in January 2010, VA officials said. At that New Jersey facility, records show that malware had infected computer equipment needed for procedures to open blocked arteries after heart attacks. Separately, at a private Boston hospital, a virus caused a device to potentially expose sensitive patient information by sending it to outside servers.

  • WSJ on "Potential Cyberattacks on Implanted Medical Devices Draw Attention"
Worries over medical-device cybersecurity have largely focused on plugged-in equipment primarily used in hospitals, such as computed tomography scanners and heart monitors that are vulnerable to viruses traveling across medical networks.
Reps. Anna Eshoo (D-Calif.) and Edward Markey (D-Mass.) praised the Food and Drug Administration for directing device makers to explain how they will protect their products from hacking or tampering. 
"I welcome the FDA's tightening of security standards for medical devices capable of connecting to each other, hospital networks and the Internet," Eshoo said. "Medical devices have resulted in tremendous benefits, but the demonstrated risk from malicious hackers that comes with enhanced connectivity requires a more stringent effort by the FDA and manufacturers to identify, evaluate and plug the potentially serious security holes that exist."
"We already protect our computers and other communications devices from hackers and other cyber threats, and it makes sense to extend those protections to patients and their medical devices," Markey said. "Patients should only have to worry about getting healthier and not about hackers tampering with their device or accessing their information. I have been concerned about this issue for years, and am encouraged that the FDA is taking action on this issue."
Mark Olson, CISO at Beth Israel Deaconess Medical Center in Boston, calls the FDA announcements "a very positive step." He says the FDA "is placing a requirement on the manufacturers to acknowledge that they need to be part of the solution in protecting their equipment at the customers' location. It is a well-balanced approach, placing joint responsibility on the vendor and the user of the products. For security practitioners, the model of joint responsibility is ideal."
A vast array of heart defibrillators, drug infusion pumps, and other medical devices contain backdoors that make them vulnerable to potentially life-threatening hacks, federal officials have warned.
Researchers Billy Rios and Terry McCorkle of Cylance have reported a hard-coded password vulnerability affecting roughly 300 medical devices across approximately 40 vendors. According to their report, the vulnerability could be exploited to potentially change critical settings and/or modify device firmware. 
"Hundreds of medical devices have been affected, involving dozens of manufacturers," Maisel said, adding that many were infected by malicious software, or malware.

This is a far cry from reporting less than a few years ago when denial of security problems was the norm in the medical device community.  See slide #42 from a talk at MIT for a look back in time, or see my complete list of past talks on medical device security

3 comments:

  1. While I do believe this is a step in the right direction, I want to know what type of verification and validation the FDA is putting in place. If you have a discussion with any of a number of medical device manufacturers that nearly ALL say they have security built in, but when you peel back the layers and probe a bit, one soon discovers that it is ofter very minimal, and frequently inadequate. Security implemented by those who are not fully competent to do so tends to be adequate enough to appease board members and c-level executives, while doing little to protect against determined attackers or researchers.

    ReplyDelete
    Replies
    1. I noticed the term "implementation" in your comment. What about the requirements and design/concept phase? If the concept phase does not meaningfully address security, then it's hopeless at the implementation stage. While the "bugs" at the implementation stage make for captivating anecdotes, I feel the root causes of security flaws begin much earlier at the concept phase. For instance, lack of a threat model, lack of meaningful hazard analysis that covers cybersecurity risks well...

      Delete
    2. Yes, an excellent point. Competent security professionals consider security from the design and concept phase, and I am making way too many assumptions by automatically assuming that this is part of the entire plan.

      Unfortunately, my interface with the medical device community, from a security perspective, is rarely at the design phase...although more so today than it was 5 years ago.

      Delete

All comments are moderated to prevent spam, so please pardon the delay while our anti-spam team looks at incoming messages.