Medical device makers would do well to fortify their cybersecurity strategies in preparation for the extra layers of software testing and review in development at the FDA.
Federal healthcare regulators have solicited bids from security group Codenomicon Defensics to help build a "cybersecurity laboratory" where regulators can take a closer look at software bugs and weaknesses in medtech systems. Codenomicon’s systems will subject devices to "fuzz testing," barraging the software in search of defects or vulnerabilities that could leave a system open to attack.
"This is excellent news for the medical device industry," Codenomicon CEO David Chartier said in prepared remarks. "Cybersecurity for medical devices has been lacking in standardized testing procedures, and the FDA introducing fuzz testing capabilities is big step forward."
The contract came in the weeks after the FDA issued new guidance asking that device makers remain "vigilant" about cybersecurity and that companies document their efforts and submit them for review of new devices. Although the FDA stopped short of recommending specific actions or setting security standards, the action gave the agency leverage in potentially rejecting new technologies that don’t demonstrate sufficient reliability or security in their software.
With the FDA’s July 21 solicitation solicitation, device makers can begin predicting how cybersecurity oversight may play out. The agency is tracking down bugs, it says, testing new products for software vulnerabilities that could cause a device to behave erratically or allow an unknown attacker to access the system or take it over entirely. Fuzzing techniques bombard systems with malformed or unexpected inputs in search of weak points.
It was a pretty basic fuzzing attack that security researchers said brought down a Philips (NYSE:PHG) Xper hospital management system under the force of only 6 lines of code that took just a few days to find and exploit. Security experts Billy Rios and Terry McCorkle, who usually test security in industrial control systems, divulged that hack earlier this year after discovering that they could crash the systems, manipulate them and possibly use them as a gateway to access and hack other networked devices.
The key to avoiding similar issues is a matter of subjecting systems to such attacks during the test phase, so that they can better stand up to the barrage of inputs that may come from attackers or even benign sources.
"That’s the piece that’s missing," McCorkle told MassDevice.com in an interview earlier this year. "You don’t have robust testing behind the scenes."
"Some bugs are exposed and fixed during the testing phase of a software development process," the FDA noted. "The bugs that slip past the testing phase without being found and fixed are unknown vulnerabilities and can be triggered, sometimes with catastrophic results, after the product release."
The agency selected Codenomicon’s fuzzing suite because it subjects systems to a slew of tests and generates output reports defining potential weaknesses and even solutions. The fuzzing program also runs on a popular Java code application that means it’s easy to deploy on the FDA’s existing computers.
The FDA requested Codenomicon tools to test Bluetooth connections, WiFi clients, HTTP servers. The agency also asked for a few radio and Bluetooth transmitters and some training and implementation services.
"When software is fuzz tested proactively, vulnerabilities can be found and fixed before deployment, resulting more secure and robust, high quality software," the FDA said. "Fuzz tested product has less critical vulnerabilities that need to be patched. This means less cost from patch development and release, and product recalls."