Will hackers turn your lifesaving device into a life-threatening one?

FDA warns of cybersecurity vulnerabilities in implanted medical devices

Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someonePrint this page

What seemed like a far­fetched sce­nario out of Hol­ly­wood four years ago is now yet anoth­er real­i­ty that secu­ri­ty experts have been warn­ing about.

In the screen ver­sion, the U.S. vice pres­i­dent is assas­si­nat­ed on the TV show “Home­land” after a hack­er takes con­trol of his pace­mak­er and stops his heart—making it look like a heart attack.

In real life, the U.S. Food and Drug Admin­is­tra­tion recent­ly released a safe­ty warn­ing that St. Jude Med­ical implantable car­diac devices and their remote trans­mit­ters con­tain secu­ri­ty vul­ner­a­bil­i­ties. An unau­tho­rized par­ty could use the vul­ner­a­bil­i­ties to “mod­i­fy pro­gram­ming com­mands” on the device that could result in rapid bat­tery drain­ing or “admin­is­tra­tion of inap­pro­pri­ate pac­ing or shocks.”

Coin­ci­den­tal­ly, the warn­ing came on the heels of an FDA doc­u­ment address­ing this very issue: At the end of Decem­ber, the agency released its guid­ance for the post-mar­ket man­age­ment of med­ical device cybersecurity.

The guid­ance is sim­i­lar to a pre­vi­ous­ly issued one for pre­mar­ket design and devel­op­ment. Both are nonbinding.

Relat­ed sto­ry: More health care orga­ni­za­tions on HIPAA’s hit list

The FDA can take action against prod­ucts that vio­late the Food, Drug and Cos­met­ic Act, which could include devices that pose seri­ous injury or death risks and lack reme­di­a­tion. Out­side of that, it’s unclear what, if any­thing, the FDA would do about low­er-lev­el risks that are not being mitigated.

Enforce­ment or not, there’s plen­ty of skep­ti­cism about the influ­ence the doc­u­ment will have on device man­u­fac­tur­ers. Secu­ri­ty experts call it a good first step—emphasis on “first.”

But they are not con­vinced that the guid­ance will moti­vate the indus­try to make med­ical devices more secure.

Absent of seri­ous crises or patient deaths, I’m not opti­mistic that this doc­u­ment will get the atten­tion of many com­pa­nies build­ing med­ical devices,” says John Dick­son, a prin­ci­pal with the secu­ri­ty firm Den­im Group Ltd., and who for­mer­ly served at the Air Force Infor­ma­tion War­fare Center.

The guid­ance “empha­sizes that man­u­fac­tur­ers should mon­i­tor, iden­ti­fy and address cyber­se­cu­ri­ty vul­ner­a­bil­i­ties and exploits as part of their post-mar­ket man­age­ment of med­ical devices.”

Among oth­er things, the FDA rec­om­mends that manufacturers:

• Fol­low the Nation­al Insti­tute of Stan­dards and Tech­nol­o­gy (NIST) Frame­work for Improv­ing Crit­i­cal Infra­struc­ture Secu­ri­ty, which is wide­ly used in many industries

• Imple­ment a risk-man­age­ment pro­gram for iden­ti­fy­ing and assess­ing vulnerabilities

• Act on infor­ma­tion about vul­ner­a­bil­i­ties and deploy patch­es quickly.

A big prob­lem to crack

Dick­son says that the sheer num­ber of devices in circulation—potentially mil­lions, reg­is­tered to some 6,500 to 7,000 manufacturers—creates a major problem.

Most of the med­ical device com­pa­nies are just try­ing to get the capa­bil­i­ty to work well—and here comes (a prob­lem) they real­ly didn’t con­sid­er before,” he says.

The embed­ded sen­sors and devices were designed for a long lifes­pan and, in many cas­es, not intend­ed to be upgraded.

If those devices can­not receive soft­ware updates at some time in their lifes­pan, they will be vul­ner­a­ble, so the risk is enor­mous,” says Hamil­ton Turn­er, chief tech­nol­o­gy offi­cer at mobile-secu­ri­ty ven­dor Opti­o­Labs.

The indus­try has been slow to react.

Ash­ton Mozano, chief tech­nol­o­gy offi­cer at Cir­ca­dence, a “next-gen­er­a­tion” provider of cyber­se­cu­ri­ty train­ing, says that some of the device vul­ner­a­bil­i­ties have been known for as long as a decade. But the response has not been like in air­line or auto­mo­tive safe­ty, where “there’s a whole com­mu­ni­ty that gets up in arms” when there’s a faulty or dan­ger­ous product.

We don’t real­ly see that in cyber­space yet. The med­ical device indus­try, as well as the IoT realm, have been essen­tial­ly iso­lat­ed from that lev­el of wide­spread glob­al scruti­ny,” Mozano says.

The FDA began warn­ing about the prob­lem a few years ago. The guid­ance cer­tain­ly indi­cates the agency’s inter­est in cyber­se­cu­ri­ty is grow­ing. Unfor­tu­nate­ly, the FDA may not be in the best posi­tion to address the problem.

They’re not in the best sit­u­a­tion to have the knowl­edge and skill set … to man­date reg­u­la­tions for the cyber indus­try,” Mozano says. “They don’t want to overregulate.”

Plen­ty of gaps to be filled

The FDA defines patient harm as phys­i­cal injury, dam­age to health, or death. Oth­er types of harm—such as loss of per­son­al health information—is exclud­ed from the FDA’s scope.

Turn­er thinks that’s an over­sight. He says that data tak­en from a device can some­times include infor­ma­tion about the oper­at­ing envi­ron­ment, includ­ing secure Wi-Fi access that could be used to access the net­work and cause patient harm.

Ignor­ing loss of data in a secu­ri­ty con­text can lead to some very seri­ous reper­cus­sions,” he says.

Long-term exe­cu­tion of the guid­ance also is ques­tion­able. Mozano says there needs to be “a clear assign­ment of roles and respon­si­bil­i­ties through­out the entire ver­ti­cal and hor­i­zon­tal sup­ply chain.” And, there needs to be bet­ter lead­er­ship and a more sys­tem­at­ic, step-by-step imple­men­ta­tion, he says.

The FDA could take a page from the auto­mo­tive indus­try, where rank­ings by third-par­ty eval­u­a­tors such as JD Pow­ers influ­ence buy­ing deci­sions. This would not only moti­vate man­u­fac­tur­ers to pro­tect their rep­u­ta­tion, but also put some of the pow­er into the hands of the users.

This could be more effec­tive than hav­ing dra­con­ian reg­u­la­tions,” Mozano says.

The indus­try sen­ti­ment seems to be that sce­nar­ios à la TV’s “Home­land” are still far­fetched. Even the Depart­ment of Home­land Secu­ri­ty said the vul­ner­a­bil­i­ty in St. Jude’s devices would have required “an attack­er with high skill.”

But Dick­son empha­sizes that what was sci­ence fic­tion as recent­ly as two years ago is now becom­ing a major prob­lem. After all, not too long ago “peo­ple said polit­i­cal cam­paigns were too sophis­ti­cat­ed to hack.”

Giv­en the wide­spread and ubiq­ui­tous nature of med­ical devices, the fact that a more sophis­ti­cat­ed attack­er could do this means it will hap­pen at some point,” he says. “As the sophis­ti­ca­tion goes down the chain, there’ll be more automa­tion to do it. At this point, nobody has fig­ured out how to auto­mat­i­cal­ly attack, but that will happen.”

More sto­ries relat­ed to secu­ri­ty of the Inter­net of Things:
FDA offers pre­scrip­tion for secu­ri­ty of med­ical devices
As the Inter­net of Things expands, so do the risks
Three trends in health care call for extra dose of cybersecurity


Posted in Cybersecurity, Featured Story