A handful of government bodies are asking federal regulators to establish medical device software security protocols as part of the FDA’s regular review of medical devices.
The U.S. Dept. of Homeland Security joined the Information Security & Privacy Advisory Board of the National Institute of Standards & Technology in calling for heightened review of medical devices, citing security weaknesses that may leave them vulnerable to "malicious tampering."
Although no malicious medical device software attacks have ever been reported (the 1st "ethical hack," in 2008, took place in an MIT research lab), the issue began to attract public interest after diabetic software security expert Jay Radcliffe hacked his own Medtronic (NYSE:MDT) insulin pump live on stage at a hacker conference in Las Vegas last summer.
Radcliffe showed the audience how a remote signal could access and manipulate his pump without setting off any alerts – from as far away as half a mile, he claimed.
Since then, members of Congress have petitioned the Government Accountability Office to conduct a review of the risks of medical device hacking, McAfee researcher Barnaby Jack demonstrated a lethal insulin attack that he could conduct from 300 feet away with an easily reproducible home-made antennae and at least 2 television programs have woven dramatic medical device hacking scenes into their stories (a February episode of NCIS entitled “Need to Know” and one of "1000 Ways to Die" by Spike TV, in case anyone’s interested).
Many medical devices are "vulnerable to cyber attacks by a malicious actor who can take advantage of routine software update capabilities to gain access and, thereafter, manipulate the implant," according to a bulletin posted by the National Cybersecurity & Communications Integration Center of the Dept. of Homeland Security.
In light of increasing use of wireless connectivity, "the communications security of [medical devices] to protect against theft of medical information and malicious intrusion is now becoming a major concern," the agency added.
The report, issued in conjunction with the Dept. of Health & Human Services and Veterans Administration, pointed to Radcliffe’s Las Vegas hack and the lab-based hack conducted at MIT as proof-of-concept research that demonstrated how little software security medical devices have.
In the MIT study, in which researchers reverse-engineered and then took control of a Medtronic pacemaker, the researchers needed only to know the patient’s name in order to hack the code and alter the programming, triggering unnecessary shocks or running programs that could prematurely deplete the implant’s battery.
"In an era of budgetary restraints, healthcare facilities frequently prioritize more traditional programs and operational considerations over network security," the agency added.
The bulletin followed a letter sent to the White House Office of Management & Budget calling for focused cybersecurity surveillance of medical devices.
In the letter the ISPAB warned that "lack of cybersecurity preparedness for millions of software-controlled medical devices puts patients at significant risk of harm."
"Software-controlled medical devices are increasingly available through and exposed to cybersecurity risks on the Internet; examples range from desktop computers controlling radiological imaging to custom embedded software found in pacemakers," the agency wrote. "With increasing connectivity comes greater functionality and manageability, but also increased risks of both unintentional interference and malicious tampering via these communication channels."
The ISPAB offered a handful of recommendations for protecting medical device software integrity, including giving the FDA the responsibility to assess devices cybersecurity during the pre-market clearance and approval of devices, establishing default security features that should come standard on medical devices at the time of purchase and creating a cybersecurity incident reporting framework.