FDA Aims to Reduce Cyber-Security Risks in Common Medical Devices

medicalsecurityWhen you think about the dangers of hacking, the average person is likely to picture a scene out of a spy thriller, in which an edgy figure is able to empty bank accounts or launch nuclear missiles with a few illicit keystrokes. Others might remember the recent leak of celebrity photos and worry about the safety of their personal information. While these worries are fairly common, a recent announcement from the Food and Drug Administration (FDA) suggests that we should be more concerned with vulnerabilities within devices many Americans use everyday: medical equipment, from insulin pumps to pacemakers.

Following a statement last year from former Vice President Dick Cheney, in which he disclosed that doctors had disabled his pacemaker’s wireless capabilities over hacking concerns, the FDA is now convening an industry-wide endeavor to bolster the cyber security of these medical devices. To kick off these efforts, the administration plans to host a workshop next month in Arlington, VA for medical device manufacturers, healthcare providers, biomedical engineers, health insurers and more. The two-day conference aims to discuss the best ways to identify and reduce cyber-security vulnerabilities in medical technology.

One of the major threats to many medical devices is their use of wireless technology, which allows patients and doctors to deliver medication, transmit data, and more automatically. In order to regulate these wireless devices, the FDA has spent the last few years instituting a lengthy, expensive certification process for both the machines and the software in them. As a result, many systems have reportedly not been updated or patched on a regular basis. Ironically, critics say, this regulatory effort has made many medical devices more vulnerable than ever.

If a cyber vulnerability were to be exploited, the FDA has stated hackers could cause a device to malfunction, disrupt critical healthcare services, or even provide illegitimate access to patient information. Demonstrations from a number of security experts over the years have shown exactly how dangerous this could be: before his death in 2013, the famed computer security expert Barnaby Jack used a series of appearances to show how a wireless-enabled insulin pump could be manipulated into delivering a deadly dose of medication, or a pacemaker could be forced to deliver a lethal electric shock. Jay Radcliffe, a hacker with Type 1 diabetes, has also given presentations on how easily insulin pumps can be exploited through common security issues.

However, despite these popular demonstrations, a report from the Association for the Advancement of Medical Instrumentation suggests that it is more likely a medical device would be related to device availability and integrity. While most cyber-security measures are designed to last months, the typical medical device is designed to last years, or even decades. This means that the device could be running obsolete or unsupported software, leaving a patient’s safety at the risk of what the report calls “a lifecycle mismatch”.

The FDA’s announcement has resonated deeply with many in the healthcare manufacturing industry, many of whom struggle to ensure their devices meet safety standards despite extensive and expensive testing requirements.

Currently, the FDA says their goal is to create a collaborative process between a number of different healthcare industries. This collaboration will hopefully be able to identify potential cyber-security risks, especially on popular, long-lasting systems. The FDA also says they want these industries to develop better security standards and benchmarks to assess and mitigate vulnerabilities, especially when it comes to updating software in a timely manner.