To Secure Medical Devices, the FDA Turns to Ethical Hackers
24.10.2018 securityaffairs
BigBrothers

The U.S. Food and Drug Administration (FDA) is embracing the work of ethical hackers and their researches to secure medical devices.
Hacking is an ever-present concern in today’s highly connected society. People typically shudder to think about their smart speakers or home security systems getting compromised, and indeed, vulnerabilities in those devices would be traumatizing.

But, the consequences could arguably be much worse if hackers set their sights on medical devices. Those products are widely used and show a forecasted growth of three percent annually through at least 2022.

Ethical hackers have contacted device manufacturers after exposing vulnerabilities in their products. All the while, the U.S. Food and Drug Administration (FDA) has historically stayed neutral in the debate about what role — if any — those individuals should play exposing weak spots in medical technologies.

But, that’s changing as the agency reports it’s embracing the work of ethical hackers and using the research those parties find to shape their actions.

medical devices.PNG
Image by Rawpixel

A Problem Revealed in Pacemaker Implants
A recent example of a medical device problem concerns a pacemaker manufactured by Medtronic. Billy Rios and Jonathan Butts, two cybersecurity researchers, found a flaw that could let hackers remotely change the settings of the device, potentially leading to dire consequences.

Then, the FDA and Medtronic issued cybersecurity warnings about the pacemakers. Additionally, Medtronic stopped the device’s periodic Internet-based updates on tens of thousands of the pacemakers until the company comes up with an effective fix for the problem.

The FDA Provided Much-Needed Momentum
The FDA was instrumental in making Medtronic respond after hearing about the pacemaker’s security shortages. Butts and Rios disclosed it to Medtronic in January 2017. But, it took more than a year for the company to release security bulletins responding to the identified issues.

The company asserted, though, that it wasn’t possible to remotely manipulate the devices. It also said the vulnerability was “controlled,” and not an immediate patient threat. The two ethical hackers continued engaging back and forth with Medtronic for months, then gave their research to the FDA. The agency followed up by doing its own analysis.

Ultimately, the FDA said its findings matched the previous investigation, and that statement caused Medtronic to admit the bugs could hurt patients if not patched. Such progress emphasizes why the FDA’s collaboration with cybersecurity researchers could be so advantageous for the technology community and consumers alike.

To reiterate, the researchers tried for months to get the manufacturer to take its concerns seriously, to no avail. It was the FDA’s involvement that made the company’s crucial change in attitude happen. If such partnerships continue to occur, patients could benefit from safer products as ethical hackers get more recognition for their worthy research.

A Future-Oriented Mindset
It also appears the situation above won’t be a one-off instance of the FDA’s collaboration with ethical hackers. According to Jeff Shuren, director of the FDA’s Center for Devices and Radiological Health, there is a recognition that cybersecurity researchers have a crucial role to play in revealing medical device issues that could be disastrous if left unchecked.

For example, some of the possible ways to manipulate medical devices include making them behave strangely without a patient or caregiver’s knowledge, or causing the gadgets to give incorrect readings that could change a user’s treatment plan. Hacks could also make diagnostic equipment, such as MRI machines, shut down.

When speaking to The Washington Post, Shuren mentioned the importance of “proactively cultivat[ing] that relationship with the researcher community because they have an integral role to play.” That statement strongly implies the FDA is finally taking the side of the cybersecurity community by affirming how its researchers could be partners in making medical devices as secure as possible.

Shuren also noted that the FDA encourages device manufacturers to rely on ethical hackers internally as well, especially if those companies don’t have people already on board to explore possible shortcomings and fix them before product releases.

The FDA and Department of Homeland Security have signed a memorandum of agreement to work more closely with each other to secure medical devices, too. The hope is that when vulnerabilities are identified, the teamwork between the two agencies would lead to being able to stay on top of medical technologies as they change and assisting medical companies with responding to the security weaknesses.

Government Agencies Present at Cybersecurity Conferences
In August 2018, a representative from Shuren’s department at the FDA attended a presentation Butts and Rios made at a cybersecurity conference to demonstrate another issue — this time with an insulin pump. In response to a Twitter post about that exhibition, FDA Commissioner Scott Gottlieb gave the ethical hackers a nod of approval.

The partnership between government agencies and ethical hackers is still new, and it’s too soon to say if it will be maintained. That outcome looks probable, though, which brings significant and long-lasting benefits.