Hacking: FDA is developing a ‘cybersecurity laboratory’

Hacking: FDA developing a 'cybersecurity laboratory'

Medical device makers would do well to fortify their cybersecurity strategies in preparation for the extra layers of software testing and review in development at the FDA.

Federal healthcare regulators have solicited bids from security group Codenomicon Defensics to help build a "cybersecurity laboratory" where regulators can take a closer look at software bugs and weaknesses in medtech systems. Codenomicon’s systems will subject devices to "fuzz testing," barraging the software in search of defects or vulnerabilities that could leave a system open to attack.

"This is excellent news for the medical device industry," Codenomicon CEO David Chartier said in prepared remarks. "Cybersecurity for medical devices has been lacking in standardized testing procedures, and the FDA introducing fuzz testing capabilities is big step forward."

The contract came in the weeks after the FDA issued new guidance asking that device makers remain "vigilant" about cybersecurity and that companies document their efforts and submit them for review of new devices. Although the FDA stopped short of recommending specific actions or setting security standards, the action gave the agency leverage in potentially rejecting new technologies that don’t demonstrate sufficient reliability or security in their software.

With the FDA’s July 21 solicitation solicitation, device makers can begin predicting how cybersecurity oversight may play out. The agency is tracking down bugs, it says, testing new products for software vulnerabilities that could cause a device to behave erratically or allow an unknown attacker to access the system or take it over entirely. Fuzzing techniques bombard systems with malformed or unexpected inputs in search of weak points.

It was a pretty basic fuzzing attack that security researchers said brought down a Philips (NYSE:PHG) Xper hospital management system under the force of only 6 lines of code that took just a few days to find and exploit. Security experts Billy Rios and Terry McCorkle, who usually test security in industrial control systems, divulged that hack earlier this year after discovering that they could crash the systems, manipulate them and possibly use them as a gateway to access and hack other networked devices.

The key to avoiding similar issues is a matter of subjecting systems to such attacks during the test phase, so that they can better stand up to the barrage of inputs that may come from attackers or even benign sources.

"That’s the piece that’s missing," McCorkle told MassDevice.com in an interview earlier this year. "You don’t have robust testing behind the scenes."

"Some bugs are exposed and fixed during the testing phase of a software development process," the FDA noted. "The bugs that slip past the testing phase without being found and fixed are unknown vulnerabilities and can be triggered, sometimes with catastrophic results, after the product release."

The agency selected Codenomicon’s fuzzing suite because it subjects systems to a slew of tests and generates output reports defining potential weaknesses and even solutions. The fuzzing program also runs on a popular Java code application that means it’s easy to deploy on the FDA’s existing computers.

The FDA requested Codenomicon tools to test Bluetooth connections, WiFi clients, HTTP servers. The agency also asked for a few radio and Bluetooth transmitters and some training and implementation services.

"When software is fuzz tested proactively, vulnerabilities can be found and fixed before deployment, resulting more secure and robust, high quality software," the FDA said. "Fuzz tested product has less critical vulnerabilities that need to be patched. This means less cost from patch development and release, and product recalls."

RSS From Medical Design & Outsourcing

  • Cyberdyne CEO has severed spines on his agenda
    Editor’s Note: This article is from Bloomberg.com‘s Natasha Khan. Cyberdyne Inc.’s CEO, Yoshiyuki Sankai, is researching ways to repair damaged body tissue. The 57-year-old scientist’s vision: to treat patients with spinal injuries by using stem-cell related technology to repair nerve connections and robotic suits that aid movement. Sankai’s company is setting its sights on better […]
  • Teknor Apex to showcase wide range of PVC compounds for medical devices at Medtec China
    Building on its international leadership role as a supplier of medical-grade PVC compounds, Teknor Apex Company has developed flexible and rigid formulations that address the special needs of device manufacturers. The company will highlight these capabilities at Medtec China 2015. “Teknor Apex produces or markets medical-grade PVC compounds in China, Singapore, Europe, and the United […]
  • The Raspberry Pi eco-system goes interstellar with the new Raspberry Pi Sense HAT
    Newark element14 has globally launched the latest addition to the expanding ecosystem of Raspberry Pi accessories, the Raspberry Pi Sense HAT, as featured in the ‘Astro Pi’ space mission. The Sense HAT will enable enthusiasts to control the same hardware used in space. The Sense HAT attaches to the Raspberry Pi board, and can be […]
  • CommScope completes acquisition of TE Connectivity’s Telecom
    CommScope Holding Company, has completed its previously announced acquisition of TE Connectivity’s Telecom, Enterprise and Wireless businesses, a leader in fiber optic connectivity for wireline and wireless networks. The all-cash transaction, valued at approximately $3 billion, strengthens CommScope’s position as a leading communications infrastructure provider with deeper resources to meet the world’s growing demand for network […]
  • SPI awards IKO Prosthetic Creative System the Student Design International Design Excellence Award
    SPI: The Plastics Industry Trade Association congratulated IKO Prosthetic Creative System for winning the SPI Student Design Award, part of the Industrial Designers Society of America’s (IDSA’s) International Design Excellence Awards (IDEA) program. The award was presented to IKO, an innovative, youth-focused prosthetic design company led by Chicago-based designer Carlos Torres, by SPI’s Senior Director of […]
  • New assay could revolutionize diagnosis and treatment of life-threatening disease
    Invasive Fungal Disease (IFD) is an emerging global health problem associated with high mortality rates in severely immunocompromised patients, such as those undergoing intensive chemotherapy or stem cell transplantation, and in patients suffering immune compromising conditions such as AIDS. The most common causative agents of this disease have been identified as Candida and Aspergillus species, […]
  • Molex delivers ISO 13485-compliant, medical-grade surgical cables from its class 100,000 clean room facility
    Molex, LLC operates a fully ISO 146441-1:1999 Class 8-certified clean room, satisfying strict particulate contamination levels specified by ISO-compliant requirements. Located in Thailand, the facility has less than 100,000 particulates (≥0.5µm) per cubic foot of air and manufactures a variety of ISO 13485-compliant medical cables and surgical cables used in operating theatres, hospitals, laboratories and […]
  • Swept-Source OCT: Patent license agreement between Massachusetts General Hospital and Heidelberg Engineering
    Heidelberg Engineering has entered into a patent license agreement with Massachusetts General Hospital (MGH) in Boston. The agreement grants global and exclusive rights to 77 basic patents and patent applications which relate to swept-source OCT technology and its application in ophthalmology. Spectral domain OCT has become indispensable to eye care professionals worldwide to diagnose and […]
  • MIT’s MultiFab presents a stark challenge to incumbent 3D Printer manufacturers’ hardware, software, and business Models
    MIT’s Computational Fabrication Group recently announced the MultiFab, a low-cost 3D printer that can combine up to 10 different resins in one part and also includes a 3D scanning system to identify and fix errors during production. According to Lux Research, these capabilities are rare in commercial 3D printers today due to the manufacturers’ need […]
  • AVX releases Accu-P MP medical grade film chip capacitors for medical devices
    AVX Corporation, a leading manufacturer of passive components and interconnect solutions, has released a new series of thin film chip capacitors specifically designed to meet the demanding performance specifications for implantable medical devices. Delivering extremely tight capacitive tolerances, exceptionally repeatable performance, and remarkably low ESR and high Q at high frequencies—including VHF, UHF, and RF […]
  • RIVANNA commences manufacturing of its Accuro device
    Rivanna Medical announced that it has begun manufacturing its FDA-cleared Accuro device, a handheld and untethered smart-phone-sized device that is designed to guide spinal anesthesia with automated 3D navigation technology in addition to ultrasound imaging of abdominal, musculoskeletal, cardiac and peripheral vascular anatomies. The product will be launched at the ASA annual meeting in San […]

Leave a Reply