The US Food and Drug Administration (FDA) has been called a "toothless dragon" in the past when it comes to medical device security, but one security expert believes the FDA is only one of many impotent agencies that need to get their act together.
The security of our medical devices, including pacemakers, embedded cardiac devices, and insulin pumps have come under scrutiny as of late. The industry was shocked in 2012 when researcher Barnaby Jack from security vendor IOActive discovered transmitter security flaws which could be used to deliver lethal shocks to patient pacemakers, and in 2015, researchers discovered 68,000 medical devices open to exploit online.
This year, St. Jude Medical patched a number of security flaws found within the company's cardiac devices that could allow attackers to deplete the battery of these heart-supporting devices, cause them to shock patients or force hearts to beat too rapidly.
Some may argue that there is little chance that attackers would target individuals and their medical devices unless they have an ax to grind with a single person.
However, speaking to ZDNet, Daniel Miessler, director of advisory services at IOActive said that cyberattacks which put patient lives at risk are a reality.
"The St. Jude situation showed us that this is not theoretical," Miessler says. "IOActive's stopping the car on the freeway showed that it's not theoretical. We are at the tiniest fraction of the beginning with systems being connected to the internet. We've not seen anything yet."
"Imagine having only 10 cars on the road in the early 1900s and asking if the whole car thing is an overblown concept. That's where we are with connected systems," he added.
Despite burgeoning concerns of how secure these devices are and how much importance vendors place on security at the manufacturing level, if anything like Billy Rios' saga with Hospira pumps is anything to go by, agencies such as the FDA have a lot of work ahead of them to keep devices up to standard.
In 2013, as documented by Bloomberg, security researcher Billy Rios began experimenting with a Hospira Symbiq infusion pump he found on eBay.
The researcher quickly discovered the pump could be attacked remotely to dispense incorrect amounts of medication into a patient. These findings were sent to the Department of Homeland Security's Industrial Control Systems Cyber Emergency Response Team (ICS-CERT), the FDA, and Hospira.
However, after months of waiting, Rios received no response.
"The FDA seems to literally be waiting for someone to be killed before they can say, 'OK, yeah, this is something we need to worry about,'" Rios told the publication.
At the time, reports began to surface of successful cyberattacks against hospitals. Malware was discovered on antiquated computer systems and staff became victims of phishing campaigns.
Rios remained concerned and after talking to federal regulators about the emerging problem was sent an email from DHS which said the agency was "not interested" in exploring the security of other medical devices.
It took a public video documenting the researcher's successful attack on the pump to finally get the FDA's attention. A year after the saga first began, the US agency sent out an advisory to hospitals warning them of the security flaws in the Hospira pump.
The Symbiq was taken off the market, but other pumps already being used in hospitals were not investigated at all -- which made the FDA advisory seem like little more than empty words.
Mike Ahmadi, an active researcher in the medical device arena said, "It was the moment we realized that the FDA really was a toothless dragon in this situation."
Today, little has changed. Hospitals are being held hostage by ransomware, healthcare insurance providers are becoming victims of data breaches, and the personally identifiable information (PII) of patients is being stolen from clinics.
Back in 2014, the Centre for Internet Security and Medical Device Innovation, Safety and Security Consortium issued medical device security guidance for manufacturers and users (IEC/TR 80001-2-2), and the US Food and Drug Administration (FDA) also released recommendations (.PDF) for building security into medical devices at the manufacturing level.
In 2016, the FDA released another set of tips (.PDF) for how devices can be protected once they've entered hospitals and homes, but this guidance is not legally binding.
Without needing to warn the FDA of security holes or threats, manufacturers are not held to account with these "toothless" recommendations -- unless death or serious harm to a patient is involved. Vendors must meet 30 or 60-day mitigation criteria (.PDF) to reduce the risk of a security flaw -- but the FDA does not insist on reports unless the situation is extreme.
However, Miessler says that the challenge of improving medical device security does not begin and end with the FDA. Instead of the US agency being the only "toothless dragon" in the fight to improve security, the agency is only one of "a horde of them."
In other words, every player from the government to consumer level must up their game to protect medical devices, through regulation, product choice, and the development of security practices at the manufacturing level.
"It's many things working at once," Miessler says. "The public becomes more aware of the issues and it will slowly start affecting their choices, the vendors try to get better to have a competitive advantage, and the government will try to enforce standards."
"These are the three heads of the dragon that will lead to eventual improvement. And the catalyst will, unfortunately, be increasingly severe incidents as they relate to human safety," the executive added.
The FDA needs to create and push guidelines forward which will protect medical devices and throw down legal consequences to breaking these rules. However, the issue is not down to just manufacturers, as hospital network security, firewalls, and perimeter defense must also come into play.
Nader Henein, regional director of advanced security assurance advisory at BlackBerry told ZDNet that while the FDA has done "moderately well" with at least providing cybersecurity guidance, criticisms leveled at the agency do have merit.
"Concerns over the FDA's commitment to securing medical devices are understandable, considering the organisation doesn't yet mandate an actual security assessment program for connected devices," Henein said. "But this is not to suggest that the healthcare industry's fight against cyber-crime is the FDA's sole responsibility."
"While the FDA has recently offered advice on how to best protect medical devices, the onus is also on product manufacturers, and software providers, to ensure that their offerings are up to scratch, and resilient to all forms of cyber-attacks," the executive noted.
Hospira once argued that these third-party networks should be considered the "primary defense against tampering with medical devices," but device makers cannot be let off the hook so easily. Manufacturers and healthcare providers must work together to protect medical devices and patients -- and the FDA, alongside other international watchdogs, must take a stronger stance to oversee the industry.
Update 15.2: Added clarification to the story relating to the FDA's guidance.