FDA Advised to Improve Medical Devices’ Security

Here’s something else to worry about: your medical device may be a target of a cyberthreat.scream

That’s what the Government Accountability Office (GAO) is saying, at least. In a new report (PDF), the government accounting agency recommended that the U.S. Food and Drug Administration (FDA) start focusing on medical device manufacturers’ identification of potential unintentional and intentional threats to the devices’ operation, reports Naked Security.

Researchers have demonstrated how the safe operation of insulin pumps and implantable cardioverter defibrillators was threatened. McAfee, the online security company, succeeded in overriding an insulin pump’s radio control and its vibrating alert safety feature. These pumps can typically hold up to 300 doses of insulin, enough to treat a diabetic for a week or two. The company, however, delivered the entire cartridge at one time — a lethal dose — and disabled the alarm that is designed to go off if the device malfunctions.

The company also developed software and an antenna that allowed the researchers to seize control of any pump device within 300 feet. To pull the feat off, the researchers did not need to know the pump’s serial number.

Until now, the FDA has not examined — through patch management, technical audits or security incident response actions — on how medical devices could be vulnerable from intentional attacks. The GAO report says that FDA considers such intentions too maniacal to be remotely considered.

Indeed, no intentional actions causing security incidents have been reported. However, the researchers have FDA thinking that as devices grow more sophisticated there are several risk areas. These include: limited battery capacity, remote access, continuous use of wireless communication, unencrypted data transfer, susceptibility to electromagnetic interference, disabling of warning mechanisms, and inability to update or install security patches.

GAO made four recommendations. Naked Security summarizes them as:

  • Increase its focus on manufacturers’ identification of potential unintentional and intentional threats, vulnerabilities, the resulting information security risks, and strategies to mitigate these risks during its PMA review process;
  • Utilize available resources, including those from other entities, such as other federal agencies;
  • Leverage its postmarket efforts to identify and investigate information security problems; and
  • Establish specific milestones for completing this review and implementing these changes.
  • Source: “Medical device hacking — FDA are told to start taking it seriously,” Naked Security, 10/3/12
    Image by Crosa.