Risk
4/24/2012
09:40 AM
50%
50%

Should FDA Assess Medical Device Defenses Against Hackers?

Federal advisory board calls for Congress to assign responsibility for preventing medical cyber-attacks.

Health Data Security: Tips And Tools
Health Data Security: Tips And Tools
(click image for larger view and for slideshow)

The vulnerability of wireless medical devices to hacking has attracted attention in Washington. Although there has not yet been a high-profile case of such a cyber-attack, the Information Security and Privacy Advisory Board, which advises the Office of Management and Budget (OMB) and the National Institute of Standards and Technology (NIST), recently proposed that the Food and Drug Administration (FDA) or another federal agency assess the security of medical devices before they're sold.

Reps. Anna Eshoo (D.-Calif.) and Edward Markey (D.-Mass.), both members of the House Energy and Commerce Committee, have asked the General Accountability Office (GAO) to prepare a report on the situation. That report is due out in July.

Congressional interest in the issue was prompted by a public demonstration of how easy it is to hack into a medical device: Security researcher Jeremy Radcliffe hacked his own insulin pump at a recent conference in Las Vegas, using a dongle attached to a PC port to change settings on the device wirelessly.

[ Is it time to re-engineer your Clinical Decision Support system? See 10 Innovative Clinical Decision Support Programs. ]

In 2008, researchers at the Medical Device Security Center in Amherst, MA, also hacked pacemakers and defibrillators wirelessly. An article in Wired Magazine noted that an attacker could use such an approach to kill somebody by sending a fatal shock to a pacemaker, for example.

The FDA has so far received no reports of patient safety incidents tied to the hacking of medical devices such as heart monitors and infusion pumps. But a Department of Veterans Affairs (VA) study showed that between January 2009 and spring 2011, there were 173 incidents of medical devices being infected with malware. The VA has taken the threat seriously enough to use virtual local area networks to isolate some 50,000 devices.

Recently, researchers from Purdue and Princeton Universities announced that they had built a prototype firewall known as MedMon to protect wireless medical devices from outside interference. MedMon monitors communications to and from implantable or wearable medical devices. If the firewall detects unusual activity, it can alert the user or send out signals to block the cyber-attack.

Niraj Jha, part of the team that developed MedMon, told UPI that although the risk of medical device hacking is low, security measures are needed before the kinds of attacks demonstrated by researchers occur in the real world.

Meanwhile, the Information Security and Privacy Advisory Board (ISPAB) believes the government should take action now. In a March 30 letter to OMB, ISPAB chair Daniel J. Chenok said, "The lack of cybersecurity preparedness for millions of software-controlled medical devices puts patients at significant risk of harm." Noting that federal responsibility for these devices is diffused among several agencies, Chenok said that oversight of cybersecurity should be given to a single agency, such as the FDA.

Chenok suggested that the FDA should work with NIST "to research cybersecurity features that could be enabled by networked or wireless medical devices in Federal settings." Furthermore, providers should not have to download software to enable such features; instead, they should be built into the device when it's purchased.

The 2012 InformationWeek Healthcare IT Priorities Survey finds that grabbing federal incentive dollars and meeting pay-for-performance mandates are the top issues facing IT execs. Find out more in the new, all-digital Time To Deliver issue of InformationWeek Healthcare. (Free registration required.)

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
The Changing Face of Identity Management
Mobility and cloud services are altering the concept of user identity. Here are some ways to keep up.
Flash Poll
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-7445
Published: 2015-10-15
The Direct Rendering Manager (DRM) subsystem in the Linux kernel through 4.x mishandles requests for Graphics Execution Manager (GEM) objects, which allows context-dependent attackers to cause a denial of service (memory consumption) via an application that processes graphics data, as demonstrated b...

CVE-2015-4948
Published: 2015-10-15
netstat in IBM AIX 5.3, 6.1, and 7.1 and VIOS 2.2.x, when a fibre channel adapter is used, allows local users to gain privileges via unspecified vectors.

CVE-2015-5660
Published: 2015-10-15
Cross-site request forgery (CSRF) vulnerability in eXtplorer before 2.1.8 allows remote attackers to hijack the authentication of arbitrary users for requests that execute PHP code.

CVE-2015-6003
Published: 2015-10-15
Directory traversal vulnerability in QNAP QTS before 4.1.4 build 0910 and 4.2.x before 4.2.0 RC2 build 0910, when AFP is enabled, allows remote attackers to read or write to arbitrary files by leveraging access to an OS X (1) user or (2) guest account.

CVE-2015-6333
Published: 2015-10-15
Cisco Application Policy Infrastructure Controller (APIC) 1.1j allows local users to gain privileges via vectors involving addition of an SSH key, aka Bug ID CSCuw46076.

Dark Reading Radio
Archived Dark Reading Radio

The cybersecurity profession struggles to retain women (figures range from 10 to 20 percent). It's particularly worrisome for an industry with a rapidly growing number of vacant positions.

So why does the shortage of women continue to be worse in security than in other IT sectors? How can men in infosec be better allies for women; and how can women be better allies for one another? What is the industry doing to fix the problem -- what's working, and what isn't?

Is this really a problem at all? Are the low numbers simply an indication that women do not want to be in cybersecurity, and is it possible that more women will never want to be in cybersecurity? How many women would we need to see in the industry to declare success?

Join Dark Reading senior editor Sara Peters and guests Angela Knox of Cloudmark, Barrett Sellers of Arbor Networks, Regina Wallace-Jones of Facebook, Steve Christey Coley of MITRE, and Chris Roosenraad of M3AAWG on Wednesday, July 13 at 1 p.m. Eastern Time to discuss all this and more.