FDA Publishes Draft Guidance on Medical Device Cybersecurity

FDA Publishes Draft Guidance on Medical Device Cybersecurity



A screenshot of the password process for a Thoratec Left
Ventricular Assist Device (LVAD) provided to Dr. Kevin Fu by
a physician he met on an airplane. What is the hazard analysis
associated with this security mechanism?
Today the FDA issued long awaited draft guidance on medical device cybersecurity. Engineers can find the cybersecurity document at FDAs website.  The PDF is here.  There is also a safety communication from FDA on cybersecurity. My take away is that this document acknowledges that cybersecurity is a real problem rather than theoretical problem. Unlike previous guidance on cybersecurity for specific types of COTS software, this guidance spells out more detail on cybersecurity responsibilities for a medical device manufacturer ranging from hazard analysis that incorporates cybersecurity to meaningful instructions for end users on malware protection. However, the document is quite short...

Ill update the list below as new information comes in.  Here are some juicy quotes.
  • Washington Post on "FDA, facing cybersecurity threats, tightens medical-device standards"
Computer viruses and other malware increasingly are infecting equipment such as hospital computers used to view X-rays and CT scans and devices in cardiac catheterization labs, agency officials said. The problems cause the equipment to slow down or shut off, complicating patient care. As more devices operate on computer systems that are connected to each other, a hospital network and the Internet, the potential for problems rises dramatically, they said.
  • WSJ on "Patients Put at Risk by Computer Viruses"

    �We are aware of hundreds of medical devices that have been infected by malware,� or dangerous computer software, said Bill Maisel, a senior official at the FDA�s device unit. Though the agency doesn�t know of deaths or injuries resulting from this, he said, �it�s not difficult to imagine how these types of events could lead to patient harm.�
    ...
    For instance, previously unreleased Department of Veterans Affairs records show that since 2009, malware infected at least 327 devices at VA hospitals. More than 40 viruses hit devices including X-ray machines and lab equipment made by companies such as General Electric Co., Philips N.V. and Siemens AG.

    In one case, a VA catheterization laboratory was temporarily closed in January 2010, VA officials said. At that New Jersey facility, records show that malware had infected computer equipment needed for procedures to open blocked arteries after heart attacks. Separately, at a private Boston hospital, a virus caused a device to potentially expose sensitive patient information by sending it to outside servers.

  • WSJ on "Potential Cyberattacks on Implanted Medical Devices Draw Attention"
Worries over medical-device cybersecurity have largely focused on plugged-in equipment primarily used in hospitals, such as computed tomography scanners and heart monitors that are vulnerable to viruses traveling across medical networks.
  • The Hill on "FDA to address hacking risk for medical devices"
Reps. Anna Eshoo (D-Calif.) and Edward Markey (D-Mass.) praised the Food and Drug Administration for directing device makers to explain how they will protect their products from hacking or tampering. 
  • Eshoo, Markey Welcome FDA Tightening of Security Standards for Medical Devices
"I welcome the FDAs tightening of security standards for medical devices capable of connecting to each other, hospital networks and the Internet," Eshoo said. "Medical devices have resulted in tremendous benefits, but the demonstrated risk from malicious hackers that comes with enhanced connectivity requires a more stringent effort by the FDA and manufacturers to identify, evaluate and plug the potentially serious security holes that exist."
"We already protect our computers and other communications devices from hackers and other cyber threats, and it makes sense to extend those protections to patients and their medical devices," Markey said. "Patients should only have to worry about getting healthier and not about hackers tampering with their device or accessing their information. I have been concerned about this issue for years, and am encouraged that the FDA is taking action on this issue."
  • GovInfoSecurity on "FDA Drafts Medical Device Security Guide: Risk Mitigation Tips for Healthcare Providers Also Offered"
Mark Olson, CISO at Beth Israel Deaconess Medical Center in Boston, calls the FDA announcements "a very positive step." He says the FDA "is placing a requirement on the manufacturers to acknowledge that they need to be part of the solution in protecting their equipment at the customers location. It is a well-balanced approach, placing joint responsibility on the vendor and the user of the products. For security practitioners, the model of joint responsibility is ideal."
  • Ars Technica on "Vast array of medical devices vulnerable to serious hacks, feds warn"
A vast array of heart defibrillators, drug infusion pumps, and other medical devices contain backdoors that make them vulnerable to potentially life-threatening hacks, federal officials have warned.
  • Alert (ICS-ALERT-13-164-01)Medical Devices Hard-Coded Passwords
Researchers Billy Rios and Terry McCorkle of Cylance have reported a hard-coded password vulnerability affecting roughly 300 medical devices across approximately 40 vendors. According to their report, the vulnerability could be exploited to potentially change critical settings and/or modify device firmware. 
  • AP on "FDA Urges Protection of Medical Devices from Cyber Threats" 
"Hundreds of medical devices have been affected, involving dozens of manufacturers," Maisel said, adding that many were infected by malicious software, or malware.
  • William Hyman at AAMI on "FDA Weighs in on Cybersecurity" 
  • GovInfoSecurity on "Medical Device Vulnerability Alert Issued"

    The recently released draft guidance and related alerts about medical device cybersecurity are steps in the right direction, but wont likely result in big changes right away, says Dale Nordenberg, M.D., executive director the of Medical Device Innovation, Safety and Security Consortium.

    Thats because many healthcare organizations arent willing to apply OS patches or anti-viral software to medical devices without the approval of the medical device vendors because of fears about liability if something goes wrong, Nordenberg says. At the same time, the medical device makers often cant keep up with testing OS patches on their devices, he adds.

    "Guidance alone may be a call to action, but the market can really accelerate best security practices for medical devices," Nordenberg says.
  • DotMed on "Medical Devices Riddled with Security Vulnerabilities"

This is a far cry from reporting less than a few years ago when denial of security problems was the norm in the medical device community.  See slide #42 from a talk at MIT for a look back in time, or see my complete list of past talks on medical device security. 

download file now

Unknown

About Unknown

Author Description here.. Nulla sagittis convallis. Curabitur consequat. Quisque metus enim, venenatis fermentum, mollis in, porta et, nibh. Duis vulputate elit in elit. Mauris dictum libero id justo.

Subscribe to this Blog via Email :