Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

4/24/2012
09:40 AM
50%
50%

Should FDA Assess Medical Device Defenses Against Hackers?

Federal advisory board calls for Congress to assign responsibility for preventing medical cyber-attacks.

Health Data Security: Tips And Tools
Health Data Security: Tips And Tools
(click image for larger view and for slideshow)

The vulnerability of wireless medical devices to hacking has attracted attention in Washington. Although there has not yet been a high-profile case of such a cyber-attack, the Information Security and Privacy Advisory Board, which advises the Office of Management and Budget (OMB) and the National Institute of Standards and Technology (NIST), recently proposed that the Food and Drug Administration (FDA) or another federal agency assess the security of medical devices before they're sold.

Reps. Anna Eshoo (D.-Calif.) and Edward Markey (D.-Mass.), both members of the House Energy and Commerce Committee, have asked the General Accountability Office (GAO) to prepare a report on the situation. That report is due out in July.

Congressional interest in the issue was prompted by a public demonstration of how easy it is to hack into a medical device: Security researcher Jeremy Radcliffe hacked his own insulin pump at a recent conference in Las Vegas, using a dongle attached to a PC port to change settings on the device wirelessly.

[ Is it time to re-engineer your Clinical Decision Support system? See 10 Innovative Clinical Decision Support Programs. ]

In 2008, researchers at the Medical Device Security Center in Amherst, MA, also hacked pacemakers and defibrillators wirelessly. An article in Wired Magazine noted that an attacker could use such an approach to kill somebody by sending a fatal shock to a pacemaker, for example.

The FDA has so far received no reports of patient safety incidents tied to the hacking of medical devices such as heart monitors and infusion pumps. But a Department of Veterans Affairs (VA) study showed that between January 2009 and spring 2011, there were 173 incidents of medical devices being infected with malware. The VA has taken the threat seriously enough to use virtual local area networks to isolate some 50,000 devices.

Recently, researchers from Purdue and Princeton Universities announced that they had built a prototype firewall known as MedMon to protect wireless medical devices from outside interference. MedMon monitors communications to and from implantable or wearable medical devices. If the firewall detects unusual activity, it can alert the user or send out signals to block the cyber-attack.

Niraj Jha, part of the team that developed MedMon, told UPI that although the risk of medical device hacking is low, security measures are needed before the kinds of attacks demonstrated by researchers occur in the real world.

Meanwhile, the Information Security and Privacy Advisory Board (ISPAB) believes the government should take action now. In a March 30 letter to OMB, ISPAB chair Daniel J. Chenok said, "The lack of cybersecurity preparedness for millions of software-controlled medical devices puts patients at significant risk of harm." Noting that federal responsibility for these devices is diffused among several agencies, Chenok said that oversight of cybersecurity should be given to a single agency, such as the FDA.

Chenok suggested that the FDA should work with NIST "to research cybersecurity features that could be enabled by networked or wireless medical devices in Federal settings." Furthermore, providers should not have to download software to enable such features; instead, they should be built into the device when it's purchased.

The 2012 InformationWeek Healthcare IT Priorities Survey finds that grabbing federal incentive dollars and meeting pay-for-performance mandates are the top issues facing IT execs. Find out more in the new, all-digital Time To Deliver issue of InformationWeek Healthcare. (Free registration required.)

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
When It Comes To Security Tools, More Isn't More
Lamont Orange, Chief Information Security Officer at Netskope,  1/11/2021
US Capitol Attack a Wake-up Call for the Integration of Physical & IT Security
Seth Rosenblatt, Contributing Writer,  1/11/2021
IoT Vendor Ubiquiti Suffers Data Breach
Dark Reading Staff 1/11/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
2020: The Year in Security
Download this Tech Digest for a look at the biggest security stories that - so far - have shaped a very strange and stressful year.
Flash Poll
Assessing Cybersecurity Risk in Today's Enterprises
Assessing Cybersecurity Risk in Today's Enterprises
COVID-19 has created a new IT paradigm in the enterprise -- and a new level of cybersecurity risk. This report offers a look at how enterprises are assessing and managing cyber-risk under the new normal.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-25533
PUBLISHED: 2021-01-15
An issue was discovered in Malwarebytes before 4.0 on macOS. A malicious application was able to perform a privileged action within the Malwarebytes launch daemon. The privileged service improperly validated XPC connections by relying on the PID instead of the audit token. An attacker can construct ...
CVE-2021-3162
PUBLISHED: 2021-01-15
Docker Desktop Community before 2.5.0.0 on macOS mishandles certificate checking, leading to local privilege escalation.
CVE-2021-21242
PUBLISHED: 2021-01-15
OneDev is an all-in-one devops platform. In OneDev before version 4.0.3, there is a critical vulnerability which can lead to pre-auth remote code execution. AttachmentUploadServlet deserializes untrusted data from the `Attachment-Support` header. This Servlet does not enforce any authentication or a...
CVE-2021-21245
PUBLISHED: 2021-01-15
OneDev is an all-in-one devops platform. In OneDev before version 4.0.3, AttachmentUploadServlet also saves user controlled data (`request.getInputStream()`) to a user specified location (`request.getHeader("File-Name")`). This issue may lead to arbitrary file upload which can be used to u...
CVE-2021-21246
PUBLISHED: 2021-01-15
OneDev is an all-in-one devops platform. In OneDev before version 4.0.3, the REST UserResource endpoint performs a security check to make sure that only administrators can list user details. However for the `/users/` endpoint there are no security checks enforced so it is possible to retrieve ar...