As greater wireless functionality is incorporated into medical devices, the risk of security problems increases.
In 2011, the software security expert Jay Radcliffe hacked his insulin pump on stage at the Black Hat security conference in Las Vegas, demonstrating that a remote user could take control over the pump, potentially delivering a fatal dose of insulin. Radcliffe was a trailblazer in the field, advocating to both FDA and industry to help make devices safer. (Note: He’ll be speaking on the issue at the upcoming BIOMEDevice San Jose event.)
Other security experts, such as Barnaby Jack and Kevin Fu, revealed similar security flaws in other medical devices, eventually helping trigger attention from the U.S. government into the problem. Last year, FBI released a warning about medical device cybersecurity. The FDA followed with cybersecurity draft guidance.
And, in May, FDA took unprecedented action by releasing a pair of warnings related to two Hospira infusion pumps: the PCA3 and PCA5 infusion pumps. The PCA3 pump “suffers from a number of remotely exploitable vulnerabilities,” explains SAINT Corp. software security engineer Jeremy Richards, one of the experts who discovered the security problem with the PCA3 pump. “This device is literally the least secure IP enabled device I’ve ever touched in my life,” he said in a blog post.
FDA apparently agreed that they were unsafe. “We warned that certain cybersecurity-related vulnerabilities were found that could result in the over- or under-infusion of critical therapies, and offered specific mitigation tactics for addressing those vulnerabilities,” says Angela Stark from the FDA’s Office of Media Affairs.
The agency stopped short of recalling the devices, however.
In an interview with Qmed, Radcliffe opined that the industry has room for improvement when it comes to cybersecurity. Because many firms lack extensive security experience, it often makes sense for them to partner with security firms, ideally starting early in the product development cycle.
Security is especially important as the medtech industry works to incorporate ever-greater computing and wireless functionality into their products. “As we go down this path of using medical and wearable technology to help optimize health and guide treatment of medical conditions, the caveat is that sending medical information to the cloud or a smartphone can possibly open up significant security risks,” he says.
The medical device industry would be well served to study how other industries have addressed their own unique security concerns over the years and how they continue to address them now. Consider the financial sector, for instance. “If you would go back 10 years and tell someone that, in 2015, they are going to do almost all of their banking on their cell phone, people would have probably laughed and thought: ‘I don’t think that is safe.’ Now, mobile banking is a big part of the economy,” Radcliffe says. “I think 10 years from now, people will consider how a lot of illness are treated and say: ‘wow, you used to go to the doctor’s office for that?’”
While in a decades’ time, many medical conditions may indeed be monitored with connected technology, it is a good idea for the device industry work slowly and deliberately towards that vision. “We want to make sure that we get the security part of it right,” Radcliffe concludes.
Medical device companies should work to be as proactive as possible in identifying potential security problems, rather than solely relying on FDA guidance. “The FDA is in the process of trying to figure out how to provide security for these devices as they connect them to a larger world—an interconnected world,” Radcliffe explains. “While the FDA has released cybersecurity guidance, the FDA doesn’t have a lot of computer scientists or computer security experts on its staff,” he says. “The manufacturers are a little bit in the same kind of predicament. They need a lot of lead time to develop new devices to get FDA approval and they are trying to figure out how they can incorporate the best of technology and make it safe and effective.”
Consider the case where, this summer, FDA released warnings about an additional infusion pump, which was detailed in a July 31 safety communication. Angela Stark, the public affairs specialist at FDA, explains that: “The summer safety communication that we issued encouraged facilities to transition away from using the Symbiq infusion system.”
While novel medical devices with novel wireless functionality can pose unique security risks, basic steps can sometimes pay big dividends. Consider for instance the power of solid password security: The 2014 Verizon Data Breach Investigations Report found that more than 70% of all data breaches were related to passwords. “Passwords provide the primary of authentication. They are a big, big aspect of security. You medical device should be designed to make sure people are maintaining good password hygiene. Are they using passwords that are long enough and secure enough?” Some medical devices still don’t even allow the user to change the password, Radcliffe says. “In some cases, the password is hard-coded in.”
Making matters worse is the demand on the black market for medical records. Recently, KrebsOnSecurity found that some medical records are being sold in bulk for only $6.40 apiece, including identifying information such as name, address, social security number, drivers license number, and so forth.
Radcliffe recommends that medical devices that transport sensitive patient data or protected health information should incorporate scientifically-vetted encryption.
If anything, medical devices should be designed to offer more security than other consumer technologies—not less. “Medical devices are connected to people. They are not as simple as an iPhone app,” Radcliffe says.
Hear Radcliffe deliver a keynote address at BIOMEDevice San Jose.