Is FDA Medical Device Alert Tip of Iceberg?Why More Cybersecurity Warnings Could Be Coming
A warning issued last week by the Food and Drug Administration regarding security vulnerabilities found in certain infusion pumps of one vendor will likely be followed by cybersecurity warnings about flaws in medical devices from other manufacturers.
See Also: Threat Intelligence - Hype or Hope?
While the FDA in the last two years has been ramping up its awareness campaign of the importance of medical device security - through guidance and communications issued to device manufacturers and healthcare organization that use these products - a big part of the problem is that many of the medical devices still in use were developed years ago, before cybersecurity became a focus.
"It's inevitable with the large quantity of legacy medical devices that we should expect more security warnings," says Kevin Fu, the director of the Archimedes Center for Medical Device Security at the University of Michigan.
Ryan Kastner, co-director of the Wireless Embedded Systems Master of Advanced Studies Program at the University of California, San Diego, says security is "not a first order design constraint" in most devices. "Hopefully, this is the start of a series of wake-up calls that the industry needs to think deeply about the security of these systems."
The FDA on May 13 announced a warning about Hospira Lifecare PCA3 and PCA5 infusion pump systems. The computerized systems, designed for the continuous delivery of anesthetic or therapeutic drugs, can be programmed remotely through a healthcare facility's Ethernet or wireless network.
FDA issued the warning after an independent researcher released information about security vulnerabilities, including software codes, which, if exploited, could allow an unauthorized user to interfere with the pump's function. "An unauthorized user with malicious intent could access the pump remotely and modify the dosage it delivers, which could lead to over- or under-infusion of critical therapies," the FDA said in the warning.
Independent security researcher Billy Rios says he first found security vulnerabilities while testing the Hospira Lifecare infusion pump systems in the spring of 2014. By May 2014, Rios contacted the Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) of the Department of Homeland in May 2014 about his discovery. ICS-CERT contacted the FDA, he says. That kicked off a series of discussions involving Rios, ICS-CERT, the FDA and Hospira, about the need for Hospira to develop a patch to fix the vulnerabilities.
"These were pretty significant vulnerabilities," Rios says. "They basically allow someone to take control over the pump. The changes needed in the patch are extensive, requiring the vendor to resubmit" the device software for approval by FDA.
However, in the meantime, during this process, a second independent researcher, based in Ontario, Canada, also found the same vulnerabilities that Rios identified in the Hospira infusion pumps in 2014. That researcher released those findings, which prompted FDA to issue the warning last week, Rios says.
The FDA became aware of cybersecurity vulnerabilities associated with the LifeCare PCA 5 infusion pumps through ICS-CERT and has been working with the company and ICS-CERT to address the vulnerabilities. "The FDA became aware of the vulnerabilities with the PCA 3 when an independent researcher published information," an agency spokeswoman says.
In a statement posted on its website, Hospira says there were no instances of cybersecurity breaches of its devices in a clinical setting. "Hospira has communicated with existing customers on how to address the vulnerabilities and continues to reach out to customers following the recent advisories from the FDA and the DHS," a company statement says. "These advisories acknowledge that Hospira has been actively engaged with the FDA and DHS regarding developments around device cybersecurity. Hospira has put further cybersecurity protections in place in our next-generation LifeCare PCA device and software, which were submitted in December 2014 to FDA for clearance."
Hospira did not immediately respond to a request for additional comment.
FDA Radar Screen
FDA has been ramping up its efforts to get product manufacturers and healthcare organizations, such as hospitals, more proactive in their handling of medical device security issues. For instance, last October, the FDA issued a voluntary, final guidance recommending that manufacturers consider cybersecurity risks as part of the design and development, and lifecycle of medical devices. FDA has also been advising healthcare organizations to carefully consider medical devices in their security risk assessment (see FDA Issues Medical Device Security Guide).
The advice in FDA's pre-market cybersecurity guidance last fall about considering security in the design of devices likely would have prevented the particular security problems found in Hospira infusion pumps.
"I visit a lot of manufacturers, and I find that every engineer genuinely cares about helping patients," Fu says. "But cybersecurity is a relatively new problem for the medical device industry. The most successful device manufacturers engage quite productively with the security engineering community, but it takes years of good will to establish the mutual trust between researchers and manufacturers.
"These types of security vulnerabilities trace back to shortfalls in early requirements engineering. In the old days, cybersecurity was not part of the balanced breakfast of medical device design. Those days are over. The latest [FDA] security warning is a classic example of why cybersecurity is essential to hazard analysis and risk mitigation."
As medical devices increasingly rely on connections to the Internet, hospital networks and to other medical devices to communicate, security risks grow. "While these connections can improve devices' interconnectedness and interoperability, they can also introduce vulnerabilities to cybersecurity breaches that could impact public health," the FDA spokeswoman says. "Cybersecurity threats are constantly evolving. As medical devices become more interconnected through wired and/or wireless connections, they may become more vulnerable. Manufacturers, hospitals, and other healthcare facilities share the responsibility of managing cybersecurity vulnerabilities."
Some medical device manufacturers already are taking steps to bolster the cybersecurity of its products. "We are aware of a number of large medical device manufacturer that are making excellent progress in their cybersecurity programs and very engaged with FDA, health systems and DHS to help ensure the safety of their products, says Dale Nordenberg, M.D., founder of the Medical Device Innovation, Safety and Security Consortium. "Additionally, "it's important to appreciate that not all medical device cybersecurity vulnerabilities represent a safety risk."
There are likely to be more FDA alerts about medical device cybersecurity problems with other products, including issues that don't necessarily present patient safety concerns.
"I worry about home care devices and devices that connect to a cloud infrastructure as the less controlled environments present ideal conditions for cybersecurity threats," Fu says. "However, there is no reason to panic."
The FDA declined to comment on whether it is planning to issue any additional medical device security alerts in the near future.