Mass media attention to Edward Snowden’s National Security Agency secrets leak, the rise of the “surveillance state,” reviews of The New Digital Age, and other cyberspace alarms all serve to dramatize FDA’s own contribution in June: an appeal to medical device manufacturers to strengthen their products against cyber attacks.
In The New Digital Age, authors Eric Schmidt and Jared Cohen predict a rapidly coming future when cyber attacks occur in unlikely products—cardiac pacemakers, defibrillators, hospital-based life-support devices and systems— and are perpetrated by lone hacker-terrorists.
Although it readily acknowledges that there have been no such medical device incidents yet─and the industry’s initial response has been mild─FDA’s “safety communication” to industry foresees danger. In this, it is reflecting a government-wide heightened concern that Washington be ahead of the cyber risk curve. Better to be too careful than not careful enough.
FDA urged device manufacturers and healthcare facilities to take steps to assure that appropriate safeguards are in place to reduce risk of failure due to cyber attack that could come through introduction of malware into the medical equipment or unauthorized access to configuration settings in medical devices and hospital networks. The alert identifies risks of the following:
Network-connected and configured medical devices infected or disabled by malware.
The presence of malware on hospital computers, smartphones and tablets, targeting mobile devices using wireless technology to access patient data, monitoring systems, and implanted patient devices.
Uncontrolled distribution of passwords, disabled passwords, hard-coded passwords for software intended for privileged device access (e.g., to administrative, technical, and maintenance personnel).
Failure to provide timely security software updates and patches to medical devices and networks and to address related vulnerabilities in older medical device models (legacy devices).
Security vulnerabilities in off-the-shelf software designed to prevent unauthorized device or network access, such as plain-text or no authentication, hard-coded passwords, documented service accounts in service manuals, and poor coding/SQL injection.
Among explicit recommendations in the alert is advice to manufacturers that they “take steps to limit unauthorized device access to trusted users only, particularly for those devices that are life-sustaining or could be directly connected to hospital networks.”
Further it suggests that appropriate security controls might be varied. They could include user authentication through user ID and password, smartcard, or biometrics, for example. Controls could also take the form of “strengthening password protection by avoiding hard-coded passwords and limiting public access to passwords used for technical device access; physical locks; card readers; and guards.”
Companies should protect individual components from exploitation and develop strategies for active security protection appropriate for the device’s use environment. Emphasizing that FDA normally does not need to review or approve software changes that are solely to strengthen cybersecurity, the agency says such strategies “should include timely deployment of routine, validated security patches and methods to restrict software or firmware updates to authenticated code.”
FDA asks companies to use design approaches that maintain a device’s critical functionality, even when security has been compromised, known as “fail-safe modes,” and to provide methods for retention and recovery after an incident where security has been compromised.
Reflecting the government-wide heightened concern, FDA’s alert says: “Cybersecurity incidents are increasingly likely and manufacturers should consider incident response plans that address the possibility of degraded operation and efficient restoration and recovery.”
In response to the alert, AdvaMed senior executive vice president for technology and regulatory affairs Janet Trunzo issued a low-key statement saying that industry understands FDA’s desire to be cautious even though no patient harm has been seen to date. She said the “ubiquity of digital technologies offers patients significant benefits, and the risk of a malicious cyber attack is low when compared to these benefits. At the same time, manufacturers recognize the need for increased security with these devices.”