How to Minimize Medical Device RisksEthical Hacker Offers Action Items
Malware and hackers present potential security threats to wireless medical devices and safety risks to the patients who use them. But healthcare organizations and device manufacturers can take several steps to curtail those risks, says an ethical hacker who has demonstrated the vulnerability of various devices.
Barnaby Jack, director of embedded device security at services firm IOActive, recently demonstrated how an implanted wireless heart defibrillator can be hacked from 50 feet away to deliver a potentially dangerous shock. About a year earlier, Jack and a research team at his former employer McAfee demonstrated how they could use a PC and an antenna to gain control of an insulin pump (see: Medical Device Hack: A Turning Point?). Jack declines to elaborate how his latest hacking demonstration was accomplished in order to prevent copy-cats.
So far, there's no clear-cut evidence that hackers have ever caused harm to a patient with a wireless medical device, according to a recent Government Accountability Organization report that urges the FDA to develop a plan to improve tracking of device security and safety issues (see: GAO Spotlights Medical Device Security).
Raising Important Issues
Jack says his two demonstrations were designed to highlight that "the security and safety of these devices go hand in hand."
And while his demonstrations are dramatic and security risks of medical devices are real, Jack cautions that patients should not discontinue using potentially life-saving products out of fear.
The benefits of using medical devices far outweigh the security risks, Jack stresses. "I don't think people should feel threatened individually," he says. "The last thing we want to do is for people to lose faith in these life-saving devices."
Instead, Jack is hoping his demonstrations lead to improved medical device security practices.
"The problem with medical devices is that they often run older versions of Windows [operating system] and are vulnerable to older malware," Jack says. "Hospitals are often not allowed to update their software or install anti-viral software in fear of running afoul of [Food and Drug Administration] regulations."
Some healthcare information security leaders say there is a lack of clarity from the FDA and medical devices companies on whether software patches and updates can be applied to products as a security precaution. While the FDA doesn't specifically prevent healthcare providers from adding these updates, some medical device vendors do not permit operators of their products to apply software patches to devices that have been FDA-approved, they say.
Nevertheless, Jack urges healthcare organizations to minimize risks by keeping their medical device operating systems and software patches up to date and segregating medical devices on internal networks, avoiding connecting them to the Internet.
And he advises manufacturers to implement a "secure development life cycle" that includes security testing by third parties. All code should be audited for security vulnerabilities before products are presented to the FDA for certification, he stresses.
The safety and security of medical devices, Jack says, "is mostly a responsibility that lies with the device makers."
In the meantime, the FDA needs to promptly address a number of recommendations in the recent GAO report that suggested ways of bolstering medical device safety and security in the life cycle of the products, Jack says. The report called on the FDA to improve the reporting and tracking of security as well as safety issues.
The FDA has a number of initiatives under way to address medical device safety and security, including a proposed unique device identification system that aims to help post-market surveillance of safety issues, including malware (see: Medical Device IDs and Patient Safety). The FDA recently closed its public comments phase on the identifier proposal, and the agency expects to publish a final rule by May 2013.
The FDA also is developing a replacement for its 15-year-old adverse event reporting system. The new system is targeted for a September 2013 launch.
One recent study that looked at nine years worth of data from publicly available FDA databases found that the agency collects little information about security problems in medical devices. The study by researchers at Harvard Medical School, Beth Israel Deaconess Medical Center in Boston and the University of Massachusetts Amherst computer science department found that information can be extracted from FDA databases to find records about the reporting of adverse events and recalls of devices that had problems with labeling, battery failure, sterility and software issues. However, little or no information was available about product recalls and adverse events related to privacy and security problems (see: Medical Device Security Info Lacking.)
"Security vulnerabilities can very easily develop into safety issues," Jack says in stressing the importance of the FDA improving its collection and tracking of security issues involving medical devices.