The US Food and Drug Administration (FDA), following increased concerns regarding the security of medical devices, is in the midst of developing a cybersecurity laboratory, it announced this weekend.
The last several years have brought a drumbeat of warnings from security researchers, analysts and government agencies regarding the susceptibility of medical devices to hacking attempts. An April 2013 report from the National Institute of Standards and Technology (NIST) called for FDA to be given the authority to assess the security of medical devices before they are allowed to market, as well as the formation of a postmarketing surveillance database to track software vulnerabilities.
Then, in May 2013, the Department of Homeland Security (DHS) issued a similar warning, noting that FDA was then unable to regulate medical device use or users, including how they are linked together or configured within networks. This created issues, explains NCCIC, as the security of each individual network largely dictates how secure each individual device is.
The report went on to note four principal factors affecting medical device security:
- Many devices are "legacy" medical devices approved before the adoption of the 1976 Medical Device Amendments, and are thus not subject to premarket approval testing by FDA.
- Some devices now come equipped with advanced networking capabilities which may be confusing to end-users. This complicates efforts to properly secure the devices from network intrusion.
- Network security functions may be the first to be cut if a healthcare facility is looking to cut its budget because they are the least obvious to patients.
- Because many medical devices contain protected health information, some healthcare facilities may not wish to expose the devices to security upgrades released by the manufacturer.
A subsequent report by the Government Accountability Office (GAO) also noted the potential for hackers to disrupt medical devices, tamper with device settings, disable key functions, obtain sensitive data or disable the device entirely. This could be accomplished through remote access vulnerabilities, interruptible wireless signals, unencrypted data transfers, susceptibility to interference, faulty warning mechanisms, reliance on outdated and obsolete technologies and the inability to download security patches, the report said.
Recent FDA Action
As a result, FDA announced in early June 2013 that it would begin to require device manufacturers to submit proof that their devices adhere to three principles: confidentiality, integrity and availability. In other words, data must be accessible only to authorized users and for authorized purposes; must always be accurate, complete and properly modified; and must be available when and where it is needed.
Failure to maintain these principles can result in injury or death in patients, FDA noted.
While falling short of requiring specific security standards, a guidance document released by FDA also called on industry to "consider cybersecurity during the design phase of the medical device," noting that such considerations can mitigate actual and potential risks.
These considerations should be documented under a cybersecurity risk analysis and management plan under the terms of 21 CFR 820.30(g), FDA added, including:
- identification of assets, threats, and vulnerabilities
- impact assessment of the threats and vulnerabilities on device functionality
- assessment of the likelihood of a threat and of a vulnerability being exploited
- determination of risk levels and suitable mitigation strategies
- residual risk assessment and risk acceptance criteria
Not all devices will be held to the same standards, FDA added. For example, a device that exists in a highly networked environment and that is responsible for keeping a patient alive should be subject to vigorous security controls, while a non-networked heart monitor might be subject to less rigorous ones.
New Efforts to Protect Devices
But those efforts are only the beginning, FDA said in a notice on the Federal Business Opportunities (FBO) website on 21 July 2013.
The notice, a solicitation, notes that poorly designed software containing "bugs" - unintended errors caused by either normal or abnormal use - can create vulnerabilities, potentially causing the software to "crash," become unavailable, utilize too many system resources or cause other unintended consequences.
"In the worst case, an attacker might be able to trigger the bug in a special way such that he or she can run his or her own instructions," FDA added, referring to a process most people know more colloquially as hacking. These vulnerabilities can lead to "catastrophic results" if not caught in time, FDA added.
Enter: The Fuzz
To combat these potential vulnerabilities, FDA said the industry standard is a process called "fuzzing," a process which subjects a piece of software to a barrage of unintended input data to find defects. For example, software might be subject to a denial of service (DoS) attack to see how it responds to a massive influx of data requests.
"When software is fuzz tested proactively, vulnerabilities can be found and fixed before deployment, resulting in more secure and robust, high quality software," the agency explains. This results in a product that is safer for consumers and is less likely to be recalled or need subsequent patching, FDA explained.
The problem as it stands, however, is that the agency doesn't have the capability to conduct this kind of testing-yet.
The announcement states that "FDA is developing a cybersecurity laboratory in which a fuzz testing capability is to be integrated."
Though details about the laboratory are still scarce, FDA said it is looking to use a fuzz testing tool manufactured by Codenomicon called "Defensics" to get the lab up and running. Interestingly enough, FDA said it also selected the Defensics software because it is capable of running on a Linux Centos 6.3 operating system, allowing it to avoid many of the threats found on other operating systems, allowing it to "protect the results of the testing."
In plainer terms, FDA seems to be taking steps to ensure that its security testing efforts are themselves not subject to hacking, and don't become a blueprint for nefarious purposes.
FDA's FBO Notice