Risk
4/24/2012
09:40 AM
50%
50%

Should FDA Assess Medical Device Defenses Against Hackers?

Federal advisory board calls for Congress to assign responsibility for preventing medical cyber-attacks.

Health Data Security: Tips And Tools
Health Data Security: Tips And Tools
(click image for larger view and for slideshow)

The vulnerability of wireless medical devices to hacking has attracted attention in Washington. Although there has not yet been a high-profile case of such a cyber-attack, the Information Security and Privacy Advisory Board, which advises the Office of Management and Budget (OMB) and the National Institute of Standards and Technology (NIST), recently proposed that the Food and Drug Administration (FDA) or another federal agency assess the security of medical devices before they're sold.

Reps. Anna Eshoo (D.-Calif.) and Edward Markey (D.-Mass.), both members of the House Energy and Commerce Committee, have asked the General Accountability Office (GAO) to prepare a report on the situation. That report is due out in July.

Congressional interest in the issue was prompted by a public demonstration of how easy it is to hack into a medical device: Security researcher Jeremy Radcliffe hacked his own insulin pump at a recent conference in Las Vegas, using a dongle attached to a PC port to change settings on the device wirelessly.

[ Is it time to re-engineer your Clinical Decision Support system? See 10 Innovative Clinical Decision Support Programs. ]

In 2008, researchers at the Medical Device Security Center in Amherst, MA, also hacked pacemakers and defibrillators wirelessly. An article in Wired Magazine noted that an attacker could use such an approach to kill somebody by sending a fatal shock to a pacemaker, for example.

The FDA has so far received no reports of patient safety incidents tied to the hacking of medical devices such as heart monitors and infusion pumps. But a Department of Veterans Affairs (VA) study showed that between January 2009 and spring 2011, there were 173 incidents of medical devices being infected with malware. The VA has taken the threat seriously enough to use virtual local area networks to isolate some 50,000 devices.

Recently, researchers from Purdue and Princeton Universities announced that they had built a prototype firewall known as MedMon to protect wireless medical devices from outside interference. MedMon monitors communications to and from implantable or wearable medical devices. If the firewall detects unusual activity, it can alert the user or send out signals to block the cyber-attack.

Niraj Jha, part of the team that developed MedMon, told UPI that although the risk of medical device hacking is low, security measures are needed before the kinds of attacks demonstrated by researchers occur in the real world.

Meanwhile, the Information Security and Privacy Advisory Board (ISPAB) believes the government should take action now. In a March 30 letter to OMB, ISPAB chair Daniel J. Chenok said, "The lack of cybersecurity preparedness for millions of software-controlled medical devices puts patients at significant risk of harm." Noting that federal responsibility for these devices is diffused among several agencies, Chenok said that oversight of cybersecurity should be given to a single agency, such as the FDA.

Chenok suggested that the FDA should work with NIST "to research cybersecurity features that could be enabled by networked or wireless medical devices in Federal settings." Furthermore, providers should not have to download software to enable such features; instead, they should be built into the device when it's purchased.

The 2012 InformationWeek Healthcare IT Priorities Survey finds that grabbing federal incentive dollars and meeting pay-for-performance mandates are the top issues facing IT execs. Find out more in the new, all-digital Time To Deliver issue of InformationWeek Healthcare. (Free registration required.)

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading Tech Digest, Dec. 19, 2014
Software-defined networking can be a net plus for security. The key: Work with the network team to implement gradually, test as you go, and take the opportunity to overhaul your security strategy.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-2208
Published: 2014-12-28
CRLF injection vulnerability in the LightProcess protocol implementation in hphp/util/light-process.cpp in Facebook HipHop Virtual Machine (HHVM) before 2.4.2 allows remote attackers to execute arbitrary commands by entering a \n (newline) character before the end of a string.

CVE-2014-2209
Published: 2014-12-28
Facebook HipHop Virtual Machine (HHVM) before 3.1.0 does not drop supplemental group memberships within hphp/util/capability.cpp and hphp/util/light-process.cpp, which allows remote attackers to bypass intended access restrictions by leveraging group permissions for a file or directory.

CVE-2014-5386
Published: 2014-12-28
The mcrypt_create_iv function in hphp/runtime/ext/mcrypt/ext_mcrypt.cpp in Facebook HipHop Virtual Machine (HHVM) before 3.3.0 does not seed the random number generator, which makes it easier for remote attackers to defeat cryptographic protection mechanisms by leveraging the use of a single initial...

CVE-2014-6123
Published: 2014-12-28
IBM Rational AppScan Source 8.0 through 8.0.0.2 and 8.5 through 8.5.0.1 and Security AppScan Source 8.6 through 8.6.0.2, 8.7 through 8.7.0.1, 8.8, 9.0 through 9.0.0.1, and 9.0.1 allow local users to obtain sensitive credential information by reading installation logs.

CVE-2014-6160
Published: 2014-12-28
IBM WebSphere Service Registry and Repository (WSRR) 8.5 before 8.5.0.1, when Chrome and WebSEAL are used, does not properly process ServiceRegistryDashboard logout actions, which allows remote attackers to bypass intended access restrictions by leveraging an unattended workstation.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Join us Wednesday, Dec. 17 at 1 p.m. Eastern Time to hear what employers are really looking for in a chief information security officer -- it may not be what you think.