February 12, 2021 | Policy Brief

FDA Takes Important Step to Securing Medical Devices

February 12, 2021 | Policy Brief

FDA Takes Important Step to Securing Medical Devices

The Food and Drug Administration (FDA) earlier this month named its first-ever acting director of medical device cybersecurity, Kevin Fu. This is an encouraging, if belated, step towards strengthening the cybersecurity of medical devices.

In an interview following his appointment, Fu explained that medical device manufacturers need to both understand cyber threats and incorporate best practices for secure software development in a way they never have before.

The consequences of overlooking these threats could be dire. For example, a security researcher found a way to exploit vulnerabilities in drug infusion pump models to remotely administer fatal drugs to patients without a trace. Similarly, hackers could potentially prevent pacemakers from functioning.

Like most industries, medical device manufacturers rely on several compliance standards and regulations that govern software development and encourage the use of security controls that protect the confidentiality, integrity, and availability of data. Generally, these assessments are checklist-type evaluations that do not simulate an adversarial attack and therefore cannot identify and demonstrate effects caused by an actual cyberattack.

Each device, system, or enterprise, however, has its own unique attack surface and vulnerabilities based on the relationships between the people, processes, and technologies working together.

While the FDA strongly encourages the use of cybersecurity best practices during development and manufacturing, the agency is not responsible for testing devices and ensuring cybersecurity. Like most other industries, it is up to medical device manufacturers to ensure and self-assess their own products for compliance. This compliance to a dated “checklist” standard does not ensure cybersecurity in an ever-evolving threat landscape.

The risk in the healthcare industry is clear, and a number of companies have already fallen victim to ransomware attacks. The compromised systems had similar requirements for compliance with various security controls to ensure confidentiality, integrity, and availability of data, yet hackers still breached their networks.

Fu will be focusing on the secure development of medical device software. This is a tall order. Across private industry, all companies, especially small- and medium-sized businesses, are struggling to understand evolving cyber threats, how to mitigate them, and how to resource those efforts.

All industries suffer from software development vulnerabilities. As the SolarWinds compromise demonstrated, an advanced adversary can penetrate the development process and insert dormant malware (known as a logic bomb) to be distributed simultaneously to thousands of companies. Then, after a period long enough to wait out basic security checks, the malware executes.

None of the current security standards address how to mitigate a dormant, undetected piece of malware. Yet each medical device manufacturer is expected to keep up with evolving threats, mitigate the associated vulnerabilities, and then verify that it has produced a secure product.

Most small companies and startups do not have an entire division of cybersecurity experts dedicated to keeping up with new attack vectors. If an advanced adversary wanted to compromise a medical device and insert a logic bomb, detonation could occur when the patient is using the device.

In order to help combat the increasing gap in available resources and the ability to deliver secure products, enhanced public-private collaboration is required. The Cyber Solarium Commission recommended creating a “Joint Collaborative Environment” that would enable information sharing between government and industry. This type of capability would allow medical device manufacturers and Fu to leverage the guidance and knowledge resources already established by industries that use similar technologies.

The FDA and medical device manufacturers cannot afford to assume that the likelihood of a cyberattack is zero just because it has not happened yet. Unlike most industries, failure to take medical device cybersecurity seriously until after the first attack will result not just in financial costs but potentially in loss of life.

Dr. Georgianna Shea is the chief technologist of the Transformative Cyber Innovation Lab (TCIL) and Center on Cyber and Technology Innovation (CCTI) at the Foundation for Defense of Democracies (FDD). For more analysis from Georgianna, TCIL, and CCTI, please subscribe HERE. Follow FDD on Twitter @FDD and @FDD_CCTI. FDD is a Washington, DC-based, nonpartisan research institute focusing on national security and foreign policy.