And that risk, while there are no reports yet of deaths caused by it, is real. Medical devices have been rigorously designed to work properly for years. But most have not been designed with cybersecurity in mind, and many of them remain insecure to the point of potential catastrophe, as an audit of a heath organization showed in 2014 – things like, “lack of authentication …; weak passwords or default and hardcoded vendor passwords like ‘admin’ or ‘1234’; and embedded web servers and administrative interfaces that make it easy to identify and manipulate devices once an attacker finds them on a network.”
Andrew Ostashen, cofounder and principle security engineer at Vulsec, said he was at a hospital when a neonatal system, “went offline from discovery scan through an assessment due to the fact the organization was not aware where the device was configured in the network.”
That, he said, meant that hackers would be able to take the same system offline if they got inside the organization. In this case, “luckily the device was not in use at the time of the assessment. Otherwise, this could have been catastrophic,” he said.
And while physical harm to patients is clearly the most crucial risk to mitigate, there is also the risk of attackers hijacking a device in order to get inside a healthcare organization’s network.
TrapX Labs, a cybersecurity defense vendor, in a breach report at the end of last year, said hijacked medical devices are being used as a back door to hospital networks.
“Unfortunately, hospitals do not seem to be able to detect MEDJACK or remediate it,” said Moshe Ben-Simon, cofounder and vice president of services in a press release.
So, how far will the recent FDA guidance move the security needle? It wouldn’t have to move much to make a difference.
As Schneier noted, the new guidance does not break major new ground. It covers what most experts call good risk management and security “hygiene.” The FDA said in its statement that its recommendations are “encompassed" by the QSR, and which include requirements for for handling complaints, audit standards, corrective and preventive action, software validation and risk analysis and servicing.
The agency also calls for manufacturers to, “apply the NIST (National Institute of Standards and Technology) voluntary cybersecurity framework, which includes the core principles of ‘Identify, Protect, Detect, Respond and Recover.’”
But the overall focus, which calls for manufacturers to maintain the security of devices throughout their entire life cycle is significant since, as has been widely reported, those devices tend to have a development cycle of five years or more, and then useful lives of 10 to 20 years.
Sign up for CIO Asia eNewsletters.