FDA Guidelines Target IoT Medical Device Security

The U.S.Food and Drug Administration last week took a step toward addressing the threat the Internet of Things poses to patients and their data by releasing some proposed guidelines for managing cybersecurity in medical devices.

“A growing number of medical devices are designed to be networked to facilitate patient care. Networked medical devices, like other networked computer systems, incorporate software that may be vulnerable to cybersecurity threats,” the FDA says in its proposal.

“The exploitation of vulnerabilities may represent a risk to the safety and effectiveness of medical devices and typically requires continual maintenance throughout the product life cycle to assure an adequate degree of protection against such exploits,” the agency notes.

“Proactively addressing cybersecurity risks in medical devices reduces the patient safety impact and the overall risk to public health,” it says.

The guidelines offer best practices for assessing, remediating and reporting cybersecurity vulnerabilities in medical devices.

Stakeholders have 90 days to submit comments to the FDA on the proposed guidelines before they’re finalized.

An IoT First

“The FDA is to be congratulated because this is the first time that somebody is acknowledging the risk associated with the Internet of Things,” said Torsten George, vice president for global marketing atRiskSense.

The agency is raising the security bar for medical device makers, said Lee Kim, director of privacy and security at theHealthcare Information and Management Systems Society.

“I think that provides some assurance for healthcare providers, but they need to scan their networks for vulnerabilities, too,” she told TechNewsWorld. “The healthcare providers can’t turn a blind eye to this either.”

The guidelines are especially important because healthcare IT is very compliance-oriented, noted Chris Wysopal, CTO ofVeracode.

“If a regulating authority doesn’t have anything to say, organizations think they don’t have to do anything because they don’t take a risk-based approach, as financial service companies or manufacturers do when they try to protect their brand or intellectual property,” he told TechNewsWorld.

Guidelines With Teeth

While the FDA’s move is a good one, guidelines are only recommendations on how to behave. Medical device makers could ignore them without having to worry about punishment — yet.

“There are no fines mentioned yet, but they could come,” RiskSense’s George told TechNewsWorld.

Competition also could play a role in nudging device makers to comply with the guidelines.

“There are so many medical devices out there and so much competition that a differentiating factor could become compliance with these guidelines,” HIMSS’s Kim said.

The guidelines could provide fodder for potential legal actions against device makers.

“The courts are being very stringent when it comes to cybersecurity. If you’re not following best practices these days, the courts are leaning toward consumers and end users when making their judgments,” George noted.

“There’s the potential that some attorneys looking at this would use these guidelines to establish negligence in a civil case,” Kim said. “That legal pressure could be a motivator for medical device manufacturers to shore up their security practices.”

More Concern Over App Flaws

Healthcare IT execs don’t seem to share the FDA’s heightened concern over the risks medical devices pose to patients and their data, according to a survey released last week by Veracode and HIMSS.

The survey, which was part of Veracode’s “State of Web and Mobile Application Security in Healthcare” report, found that only 7 percent of the 200 participating healthcare IT execs placed the insecurity of IoT devices — such as medical devices, POS devices, printers and building automation — on their list of top security threats.

What most concerned the execs was cyberattackers exploiting vulnerabilities in applications (28 percent), followed by phishing attacks on employees, negligent employees and malicious insiders (26 percent).

Fears over application vulnerabilities are being raised with good reason.

“Data from actual code-level analysis of billions of lines of code conducted by Veracode shows that 80 percent of healthcare applications exhibit cryptographic issues such as weak algorithms upon initial assessment. Given the large amount of sensitive data collected by healthcare organizations, this is quite concerning,” the report notes.

“In addition, healthcare fares worse than the vast majority of other industries when it comes to addressing remediation, with only 43 percent of known vulnerabilities being remediated,” it continued.

Healthcare organizations should test the medical devices they use and hold vendors accountable for security gaps, the report recommends.

“Many medical devices, including MRI scanners, X-ray machines and drug infusion pumps, are vulnerable to hacking, creating significant health risks for patients,” the report notes.

Breach Diary

  • Jan. 18. Softpedia reports confirmation of a data breach that compromised a database of 6 million Nexus Mods user accounts. Nexus Mods is the biggest gaming mods database on the Internet.
  • Jan. 18. New West Health Services reports theft of laptop containing personal information of current or former customers. The breach reportedly could affect 25,000 people. However, the company says there is no evidence that the data has been accessed or used.
  • Jan. 19. Security researcher Chris Vickery reports that a database containing the private account information of 325,000 Earbits users was exposed on the Internet for an unknown period of time.
  • Jan. 20. FACC announces it incurred US$55 million in damages when its financial accounting department was the target of cyberfraud.
  • Jan. 20. SplashData releases annual list of worse passwords. Its analysis of more than 2 million leaked passwords in 2015 reveals that the most used password was “password,” followed by 123456 and 12345678.
  • Jan. 20. A distributed denial-of-service attack disrupts the website for Ireland’s National Lottery for two hours.
  • Jan. 20. Students at Virginia Tech University petition the administration to remove two-factor authentication requirement for certain sites because it’s a “hassle.”
  • Jan. 21. Kantar Worldpanel Comtech reports TalkTalk, which suffered a large data breach in last year’s fourth quarter, lost 7 percent of its customers and 4.4 percent of its market share during that period.
  • Jan. 21. Irish Computer Society releases a survey that found 55 percent of Irish businesses have seen their data stolen, hacked or otherwise compromised over the last year largely because of “negligent employees.”
  • Jan. 22. The Obama administration announces it has asked the Defense Department to design, build and operate a new computer system for storing and processing personal information for federal employees, contractors and others. According to news reports, the move is a response to the massive data breach at the Office of Personnel Management last year.
  • Jan. 22. The University of Virginia announces that a data breach of its human resources systems has exposed tax information for 1,400 employees and direct deposit banking information for 40 others.
  • Jan. 22. Irish government websites return online after DDoS attack took them offline.
  • Jan. 22. Northwest Territories Power sends letter to an undisclosed number of customers informing them that their personal information was sent accidentally to a customer in an email attachment. The company says the customer did not open the email and has signed a confidentiality agreement.

Upcoming Security Events

  • Jan. 28. Understanding Malware Lateral Spread Used in High Value Attacks. Noon ET. Webinar sponsored by Cyphort. Free with registration.
  • Jan. 28. State of the Phish — A 360-Degree View. 1 p.m. ET. Webinar sponsored sponsored by Wombat Security Technologies. Free with registration.
  • Jan. 28. Cybersecurity Forecast: What’s on the Horizon. 2 p.m. ET. Webinar sponsored by Kaspersky Lab. Free with registration.
  • Feb. 3. Building an IT Security Awareness Program That Really Works. 2 p.m. ET. InformationWeek DarkReading webinar. Free with registration.
  • Feb. 4. 2016 annual Worldwide Infrastructure Security Update. 11 a.m. ET. Webinar sponsored by Arbor Networks. Free with registration.
  • Feb. 5-6. B-Sides Huntsville. Dynetics, 1004 Explorer Blvd., Huntsville, Alabama. Free.
  • Feb. 9. Start With Security. University of Washington Law School, 4293 Memorial Way NE, Seattle. Sponsored by Federal Trade Commission. Free.
  • Feb. 11. SecureWorld Charlotte. Charlotte Convention Center, 501 South College St., Charlotte, North Carolina. Registration: conference pass, $195; SecureWorld Plus, $625; exhibits and open sessions, $30.
  • Feb. 11. Data Breach & Privacy Litigation Conference. Julia Morgan Ballroom, 465 California St., San Francisco. Registration: attorneys and companies, $795; litigation service provider, $1,195; law firm assistant, $375; legal marketing attendee, $595.
  • Feb. 11-12. Suits and Spooks DC. The National Press Club, 529 14th St. NW, Washington, D.C. Registration: $599; government and academia, $499.
  • Feb. 16. Architecting the Holy Grail of Network Security. 1 p.m. ET. Webinar sponsored by Spikes Security. Free with registration.
  • Feb. 17. Stopping Breaches at the Perimeter: Strategies for Secure Access Control. 1 p.m. ET. Webinar sponsored by 451 Research and SecureAuth. Free with registration.
  • Feb. 20. B-Sides Seattle. The Commons Mixer Building, 15255 NE 40th St., Redmond, Washington. Tickets: participant, $15 plus $1.37 fee; super awesome donor participant, $100 plus $3.49 fee.
  • Feb. 28-29. B-Sides San Francisco. DNA Lounge, 375 11th St., San Francisco. Registration: $25.
  • Feb. 29-March 4. RSA USA 2016. The Moscone Center, 747 Howard St., San Francisco. Registration: full conference pass before Jan. 30, $1,895; before Feb. 27, $2,295; after Feb. 26, $2,595.
  • Feb. 29-March 4. HIMSS16. Sands Expo and Convention Center, Las Vegas. Registration: before Feb. 3, $865; after Feb. 2, $1,165.
  • March 10-11. B-Sides SLC. Salt Palace Convention Center, 90 South West Temple, Salt Lake City. Registration: $65.
  • March 18. Gartner Identity and Access Management Summit. London. Registration: before Jan 23, 2,225 euros plus VAT; after Jan. 22, 2,550 euros plus VAT; public sector. $1,950 plus VAT.
  • March 29-30. SecureWorld Boston. Hynes Convention Center, Exhibit Hall D. Registration: conference pass, $325; SecureWorld Plus, $725; exhibits and open sessions, $30.
  • June 13-16. Gartner Security & Risk Management Summit. Gaylord National Resort & Convention Center, 201 Waterfront St., National Harbor, Maryland. Registration: before April 16, $2,950; after April 15, $3,150; public sector, $2,595.

John Mello is a freelance technology writer and contributor to Chief Security Officer magazine. You can connect with him on Google+.

Leave a Comment

Please sign in to post or reply to a comment. New users create a free account.

More by John P. Mello Jr.
More in Cybersecurity

Technewsworld Channels