The Food and Drug Administration is asking the public to weigh in on the cybersecurity of medical devices and holding a conference on the subject, organized in collaboration with the Department of Homeland Security.
The conference — technically a workshop — will be open to the public and take place on Oct. 21-22, during National Cybersecurity Awareness month, in Arlington, the agency said. Among the themes covered will be “identifying cybersecurity gaps and challenges, especially end-of-life support for legacy devices and interconnectivity of medical devices.” The agency will also accept written comments on the issues covered at the workshop until Nov. 24.
Medical devices, like objects in almost all other aspects of consumers’ lives, are increasingly being networked as we move toward what many observers call the “Internet of Things” era. But with connectivity often comes greater vulnerability — and like many other embed technologies, older medical devices may not necessarily have been designed with security in mind or be difficult to patch with fixes when a problem is spotted.
In the past, cybersecurity researchers have demonstrated some alarming problems. Jay Radcliffe, a researcher currently working at cybersecurity firm Rapid7, demonstrated at a 2011 conference a way to wirelessly hack some insulin pumps, with potentially fatal results.
A Government Accountability Office report published in 2012 urged the FDA to expand its consideration of cybersecurity threats in medical devices — and since then, Radcliffe says he has been impressed with those efforts. “For a government agency, they’re moving really fast to address this issue.”
The agency has issued guidance on the subject and acquired the technology so it is better equipped to test the security of medical devices, he says.
But Radcliffe thinks medical device cybersecurity will become even more important as patients start to want to monitor their health information from their smartphones. “The problem right now is in it’s infancy stage, the real concern comes with the next generation of devices — they’re going to have Bluetooth, and that opens up a larger amount of risk,” he says.
Many of the technologies currently in use are built on propriety standards that would require an adversary to specifically target the device, but opening it up to connect with cellphones or cloud services could increase the attack surface for gaining access to a medical device, Radcliffe worries.
Radcliffe is excited about the FDA workshop — saying it shows the agency is working to include the cybersecurity industry and the general public as it wades deeper into how to digitally protect medical devices.