“As medical devices are increasingly interconnected, via the Internet, hospital networks, other medical devices and smartphones, there is an increased risk of cybersecurity breaches, which could affect how a medical device operates,” the FDA said in its alert. The attacks “could be initiated by the introduction of malware into the medical equipment or unauthorized access to configuration settings in medical devices and hospital networks,” it added.
Medical device concerns can be frightening indeed. Last fall IOActive found that several vendors’ pacemakers can be remotely controlled and commanded to deliver an 830-volt shock via a laptop, thanks to software programming flaws on the part of medical device companies. That is, of course, enough to kill someone, and company researcher Barnaby Jack noted that the vulnerabilities open the door to “mass murder.”
Worryingly, the FDA’s warning isn’t a what-if announcement – issues have been detected in the wild. While the FDA “is not aware of any patient injuries or deaths associated with these incidents,” reports have flowed into the FDA about specific vulnerabilities and incidents that could directly impact medical devices or hospital network operations.
The FDA’s list is fairly typical of any enterprise threat landscape and include: network-connected/configured medical devices that have become infected or disabled by malware; the presence of malware on hospital computers, smartphones and tablets, targeting mobile devices using wireless technology to access patient data, monitoring systems and implanted patient devices; and security vulnerabilities in off-the-shelf software designed to prevent unauthorized device or network access, such as plain-text or no authentication, hard-coded passwords, documented service accounts in service manuals and poor coding/SQL injection.
The FDA also said that it’s seeing uncontrolled distribution of passwords, disabled passwords and hard-coded passwords for software intended for privileged device access (e.g., to administrative, technical, and maintenance personnel).
Also, medical device manufacturers, hospitals, medical device user facilities, health care IT and procurements staff, and biomedical engineers are failing to provide timely security software updates and patches to medical devices and networks and to address related vulnerabilities in older medical device models, it added.
The FDA released a draft guidance on how manufacturers should address cybersecurity in their pre-market submissions, and characterizes the responsibility as part of overall device safety. “The FDA has been working closely with other federal agencies and manufacturers to identify, communicate and mitigate vulnerabilities and incidents as they are identified,” it said. “Manufacturers are responsible for remaining vigilant about identifying risks and hazards associated with their medical devices, including risks related to cybersecurity, and are responsible for putting appropriate mitigations in place to address patient safety and assure proper device performance.”
The FDA has been tackling medical device security as an ongoing issue. Last year in June it released study results that found that For example, software flaws caused around 24% of medical device recalls at one medical device manufacturer’s facility in 2011, according to an OSEL inspection team.