Hacking: FDA is developing a ‘cybersecurity laboratory’

Hacking: FDA developing a 'cybersecurity laboratory'

Medical device makers would do well to fortify their cybersecurity strategies in preparation for the extra layers of software testing and review in development at the FDA.

Federal healthcare regulators have solicited bids from security group Codenomicon Defensics to help build a "cybersecurity laboratory" where regulators can take a closer look at software bugs and weaknesses in medtech systems. Codenomicon’s systems will subject devices to "fuzz testing," barraging the software in search of defects or vulnerabilities that could leave a system open to attack.

"This is excellent news for the medical device industry," Codenomicon CEO David Chartier said in prepared remarks. "Cybersecurity for medical devices has been lacking in standardized testing procedures, and the FDA introducing fuzz testing capabilities is big step forward."

The contract came in the weeks after the FDA issued new guidance asking that device makers remain "vigilant" about cybersecurity and that companies document their efforts and submit them for review of new devices. Although the FDA stopped short of recommending specific actions or setting security standards, the action gave the agency leverage in potentially rejecting new technologies that don’t demonstrate sufficient reliability or security in their software.

With the FDA’s July 21 solicitation solicitation, device makers can begin predicting how cybersecurity oversight may play out. The agency is tracking down bugs, it says, testing new products for software vulnerabilities that could cause a device to behave erratically or allow an unknown attacker to access the system or take it over entirely. Fuzzing techniques bombard systems with malformed or unexpected inputs in search of weak points.

It was a pretty basic fuzzing attack that security researchers said brought down a Philips (NYSE:PHG) Xper hospital management system under the force of only 6 lines of code that took just a few days to find and exploit. Security experts Billy Rios and Terry McCorkle, who usually test security in industrial control systems, divulged that hack earlier this year after discovering that they could crash the systems, manipulate them and possibly use them as a gateway to access and hack other networked devices.

The key to avoiding similar issues is a matter of subjecting systems to such attacks during the test phase, so that they can better stand up to the barrage of inputs that may come from attackers or even benign sources.

"That’s the piece that’s missing," McCorkle told MassDevice.com in an interview earlier this year. "You don’t have robust testing behind the scenes."

"Some bugs are exposed and fixed during the testing phase of a software development process," the FDA noted. "The bugs that slip past the testing phase without being found and fixed are unknown vulnerabilities and can be triggered, sometimes with catastrophic results, after the product release."

The agency selected Codenomicon’s fuzzing suite because it subjects systems to a slew of tests and generates output reports defining potential weaknesses and even solutions. The fuzzing program also runs on a popular Java code application that means it’s easy to deploy on the FDA’s existing computers.

The FDA requested Codenomicon tools to test Bluetooth connections, WiFi clients, HTTP servers. The agency also asked for a few radio and Bluetooth transmitters and some training and implementation services.

"When software is fuzz tested proactively, vulnerabilities can be found and fixed before deployment, resulting more secure and robust, high quality software," the FDA said. "Fuzz tested product has less critical vulnerabilities that need to be patched. This means less cost from patch development and release, and product recalls."

RSS From Medical Design & Outsourcing

  • MSC Apex Diamond Python and Smart Midsurface speeds modeling to validation
    MSC Software announced a new release of MSC Apex, the company’s award-winning next generation Computer Aided Engineering (CAE) platform. The MSC Apex Diamond Python release introduces: · The fourth release of MSC Apex Modeler is a CAE Specific direct modeling and meshing solution that streamlines CAD clean-up, simplification and meshing workflow. New in this release is […]
  • Quality Metrics: FDA’s plan for a key set of measurements to help ensure manufacturers are producing quality medications
    Editor’s Note: This article is written by Ashley Boam and Mary Malarkey from the “FDA Voice” blog. Boam is an FDA’s acting Director of the Office of Policy for Pharmaceutical Quality, the Office of Pharmaceutical Quality and the Center for Drug Evaluation and Research. Malarkey is an FDA’s Director if the Office of Compliance and Biologics Quality […]
  • MasterControl’s CEO talks EQMS software and new partnerships
    MasterControl offers a quality and compliance software that helps device companies speed time to market and improve their bottom lines. Under Jon’s leadership, the company has blossomed into a market leader and has a unique corporate culture that fosters growth, excellence and quality. In this podcast, MasterControl’s CEO, Jon Beckstrand, will discuss electronic quality management […]
  • BIT Group launches white label IVD solutions
    BIT Group has launched a product line of customizable IVD white label instruments. During recent years, BIT has invested capital and resources developing customizable, ready-to-use IVD systems to address a growing demand. “The IVD market is challenging for our clients,” said Marius Balger, CEO at BIT. “OEM’s must adhere to a growing number of evolving IVD […]
  • Toshiba expands line-up of ARM Cortex-M-based microcontrollers
    Toshiba announced that it has enhanced its current “TX Family” of ARM core-based microcontrollers and started to develop three series of microcontrollers, “TXZ0 series,” “TXZ3 series” and “TXZ4 series,” as part of the “TXZTM Family.” The TXZTM Family is a new collection of flash microcontrollers that support low-power consumption and high-speed operation for IoT and M2M […]
  • Parker Hannifin consolidates, layoffs ahead
    Parker Hannifin plans to consolidate a number of internal divisions, close 2 facilities and expand its Mexican operations, according to an internally distributed letter from Andy Ross, Parker’s engineered materials group president. The company has confirmed the letter was authentic, but has not disclosed how many employees will be affected by the new plans or […]
  • 3-phase current transducer from PEM delivers all-in-one convenience
    The new RCTrms 3-ph current transducer from Power Electronic Measurements (PEM) delivers a convenient, safe and accurate solution for measuring current in three phases. It features a thin, clip-around, flexible sensor coil and provides accurate true rms measurement with 4-20 mA or 0-5 V output, enabling simple installation with PLC’s, SCADA systems or automation equipment. […]
  • Safety alert: Recall on two IV solutions from Baxter
    Baxter International announced it is voluntarily recalling two lots of intravenous (IV) solutions to the hospital and user level due to the potential presence of particulate matter. The particulate matter in each case was determined to be an insect and was identified as a result of a customer complaint. The matter was identified prior to […]
  • TSO3 begins shipment of STERIZONE VP4 Sterilizers to U.S.
    TSO3, a developer in sterilization technology for medical devices in healthcare settings, announced that the company has received purchase orders for multiple devices from the U.S. The orders are the result of the collaborative relationship between Getinge Infection Control, its sales and service provider, and TSO3. “Finally,” said R.M. Rumble, president and CEO of TSO3. “Our Vision is […]
  • Turkish medical company is seeking reseller and OEM partners in the U.S.
    UZUMCU Medical Equipment, one of Turkey’s first and largest manufacturers of medical devices, is seeking reseller and OEM partners in the U.S. The company has an array of FDA-certified OR tables, surgical lights, surgical suction units, electro devices and other medical equipment. “We want to bring our experience with distributors throughout Europe and the Middle […]
  • QImaging introduces new CCD cameras for microscopy with modern software to streamline image capture
    QImaging, a manufacturer of scientific cameras for life science and OEM applications, introduces a new series of Retiga CCD cameras, accompanied by QImaging’s new acquisition software to deliver high-performance tools for microscopy and imaging to researchers at an affordable price. The new QImaging Retiga R1, Retiga R3 and Retiga R6 cameras offer valuable technical features […]

Leave a Reply