The U.S. Food and Drug Administration (FDA) recently announced that it
is moving forward on efforts to strengthen the cybersecurity of medical
devices. While pacemakers, defibrillators, and insulin pumps seem like
unlikely targets for hackers, a security breach could have drastic consequences.
According to the FDA, its
concerns about cybersecurity vulnerabilities include malware infections on network-connected medical devices or computers,
smartphones, and tablets used to access patient data; unsecured or uncontrolled
distribution of passwords; failure to provide timely security software
updates and patches to medical devices and networks; and security vulnerabilities
in off-the-shelf software designed to prevent unauthorized access to the
device or network.
Although no hacking attempts have been reported to date, researchers have
recently shown how easily the security of medical devices can be compromised.
Security researcher Jerome Radcliffe made headlines when he demonstrated
how he could hack his own insulin pump at a 2013 security conference.
Researchers at the Medical Device Security Center have also provided evidence
that devices like pacemakers and defibrillators could be accessed remotely,
allowing an attacker to transmit a fatal shock to a patient or shut down
the device completely.
Given the potential threats, the FDA recommends that medical device makers
address cybersecurity as part of the design and development of a product
and submit documentation to the agency about the risks identified and
controls in place to address them. The guidance also proposes that manufacturers
submit their plans for providing patches and updates to operating systems
and medical software.