Security Experts:

Lawmakers Say FDA Needs to Consider Security for Medical Devices

Two lawmakers are asking the United States Food and Drug Administration to start thinking more about how to secure medical devices from cyber-attacks.

While the FDA looks at unintended threats that would arise from electromagnetic activity, improper software testing, and access control issues, the agency has not looked at the potential for intentional harm, the US Government Accountability Office said in a report released back in August. The report recommended the FDA carefully evaluate threats to medical devices and put strategies in place to mitigate known vulnerabilities before allowing the device to go to market.

Medical Device SecurityThe FDA needs to think about risk management, patch and vulnerability management, technical audit and accountability, and security incident response, the GAO report said.

"Even the human body is vulnerable to attack from computer hackers," Rep. Anna G. Eshoo (D-Calif) said in a statement.

While implantable medical devices have "tremendous medical benefits," the possibility of attack—while still rare— means the FDA and manufacturers need to work together to identify, evaluate and fix potential security holes in those devices, Eshoo said.

Researchers have recently demonstrated how an attacker could compromise medical devices such as defibrillators, insulin pumps, and pacemakers. While the attacks required a lot of work to carry out, researchers were able to remotely manipulate devices because the devices had poor access controls.

For example, in a Black Hat presentation last year, Jay Radcliffe demonstrated how to intercept wireless signals emitted by the insulin pump and send commands to interfere with normal operation. In October 2011, McAfee's Barnaby Jack overrode an insulin pump's radio control and its safety alert feature and dumped more than one week's supply of insulin in one dose.

The FDA did "not consider information security risks from intentional threats as a realistic possibility until recently," the GAO found.

The report identified potential scenarios, such as draining the battery, intercepting data transferred from the device or sending altered information to the device to interfere with normal operations, and disabling alarms and other warning mechanisms on the device. Attackers could exploit remote access to take over the device, or break in to the device using its wireless capabilities as a point of entry, and bypass authentication processes, the report found. Potential attacks can take advantage of older products, which may not have been designed with security in mind, or the fact that not all devices can easily be patched or updated if software flaws are identified.

"Patients need to be informed about whether the medical devices implanted in their bodies contain security vulnerabilities that could harm them so they can take appropriate precautions whenever possible," said Rep. Edward J. Markey (D-Mass).

The GAO report made four recommendations to the FDA. First of all, the agency focus on what potential threats, vulnerabilities, and security risks manufacturers identify during the approval process. The agency should also consider strategies for mitigating the identified risks. The responsibility doesn't end as soon as it hits the market, since the FDA should continue efforts to identify and investigate security issues.

The FDA should take advantage of all "available resources," especially from other agencies, such as National Institute of Standards and Technology, the report recommended. In fact, the agency has been working towards a collaborative relationship with the Department of Homeland Security, NIST, Department of Defense, and other federal law enforcement agencies, Jim Esquea, assistant secretary for legislation at the Department of Health and Human Services, wrote in the comments to the GAO report.

The agency also needs to react with a specific plan and timetable for implementing fixes once problems have been identified, the GAO suggested.

Related Reading: Securing Medical Devices From Attacks

Related Reading: Hacking The Human Body SCADA System

Fahmida Y. Rashid is a contributing writer for SecurityWeek. She has experience writing and reviewing security, core Internet infrastructure, open source, networking, and storage. Before setting out her journalism shingle, she spent nine years as a help-desk technician, software and Web application developer, network administrator, and technology consultant.