Last year, I wrote a blog post about a Food and Drug Administration (FDA) warning regarding cybersecurity for the devices used in the health care industry. In part, that warning stated:
The FDA expects medical device manufacturers to take appropriate steps to limit the opportunities for unauthorized access to medical devices. Specifically, we recommend that manufacturers review their cybersecurity practices and policies to assure that appropriate safeguards are in place to prevent unauthorized access or modification to their medical devices or compromise of the security of the hospital network that may be connected to the device.
The final guidance, titled ‘Content of Premarket Submissions for Management of Cybersecurity in Medical Devices,’ recommends that manufacturers consider cybersecurity risks as part of the design and development of a medical device, and submit documentation to the FDA about the risks identified and controls in place to mitigate those risks. The guidance also recommends that manufacturers submit their plans for providing patches and updates to operating systems and medical software.
Providing the ability to patch and update devices is a vital recommendation because, as Tom Cross, research director at Lancope, told me in an email, medical devices have long been designed without any way to patch them. This isn’t just a medical device issue, either. Most devices that fall under the general label of Internet of Things aren’t designed to be patched. Security for these devices isn’t an after-thought; there is often no thought to security at all. This is why Cross also added:
When major vulnerabilities like Shellshock and Heartbleed get disclosed, healthcare providers need a path to upgrade any vulnerable network connected devices that they have, so that those devices aren't exposed to attacks. The recent string of breaches that have hit retail establishments by targeting network connected point of sale terminals demonstrate that attackers are adept at getting access to network connected devices when they have a motivation to do so. Furthermore, attacks on the Internet are often indiscriminate, and can impact network connected systems even if they aren't specifically targeted.
Security experts are applauding the recommendations, but agree that they have been needed for a long time. In fact, the FDA recommendations may already be outdated. As Chris Petersen, CTO and co-founder of LogRhythm, pointed out to me via email:
Today’s cyber adversary can easily bypass perimeter defenses and quickly find a foothold within even well defended networks. What is unique to healthcare environments, are the number of IP connected medical devices that typically have not been hardened to withstand cyber threats – at all. Manufacturers of medical devices have focused first on delivering to the needs of the patient. Securing these devices from advanced threats, has not been a mandate, and is typically not a focus. The FDA’s guidance puts a focus on devices going forward, but doesn’t address the millions of IP enabled devices currently in operation across healthcare networks globally.
These recommendations are certainly a start and something to build on, but it appears that the FDA has a long way to go to fully address security threats involving medical devices.
Sue Marquette Poremba has been writing about network security since 2008. In addition to her coverage of security issues for IT Business Edge, her security articles have been published at various sites such as Forbes, Midsize Insider and Tom's Guide. You can reach Sue via Twitter: @sueporemba