Board Urges Feds to Prevent Medical Device Hacking

In the wake of increasing concern about the security of wireless medical devices, a privacy and security advisory board is calling on the government to grant the FDA or other federal entity the authority to assess the security of devices before they’re released for sale to the market.

The group also wants the government to establish a clear channel through the United States Computer Emergency Readiness Team for reporting security problems with medical devices — including pacemakers, defibrillators, and insulin pumpsĀ – so vulnerabilities can be easily tracked and addressed.

Advances in technology have created numerous medical devices that can be monitored and controlled wirelessly to change settings and gauge that they’re operating properly. But vendors have failed to secure the devices to prevent an unauthorized party from communicating and tampering with them — a potentially deadly security problem.

That prompted the Information Security and Privacy Advisory Board, which advises the National Institute of Standards and Technology (NIST) as well as the Office of Management and Budget, to send a letter to the latter office (PDF) on Mar. 30 calling for reform.

The board noted in its letter that millions of software-controlled medical devices in the field put patients at risk of significant harm — among them military personnel and veterans who are treated in government hospitals. Yet there is currently no single federal agency with responsibility for ensuring that the devices are secure before they’re marketed to the public. There also is no entity that has been tasked with dealing with security problems that arise with systems that are already on the market.

In the letter, signed by Advisory Board Chairman Daniel Chenok, the board called on the government to assign the FDA or some other federal entity with responsibility for ensuring that the devices are secure. The board suggest the agency work with NIST, the government’s technical standards setting body, to determine which features could be “enabled by default on networked or wireless medical devices.”

“For instance,” the board wrote, “a medical provider should not have to download new software, such as an anti-virus product, to achieve an acceptable baseline of cybersecurity. Cybersecurity features in medical devices should be active at the time of purchase by the Government, and should be easily and transparently configurable by a provider at the time of use….”

The group also wants the government to take the lead in informing healthcare providers, patients and others about the risks of wireless medical devices.

In its letter, the Board noted that there is currently an economic disincentive for reporting information about security vulnerabilities and incidents related to such devices, since a hospital could be sued as a result of disclosing an incident. This creates a false sense of security, since people assume that a paucity of reports means the devices are secure.

But that assumption has proven to be false in the last few years in the wake of reports from security researchers who uncovered problems with the devices.

Last August, security researcher Jerome Radcliffe caused a public stir when he demonstrated how he could hack his own insulin pump at the Black Hat security conference in Las Vegas. Radcliffe’s device was designed to communicate with a $20 dongle that plugged into the USB port of a PC so that settings could be changed on the device. He discovered that he only needed to know the serial number of his or any other insulin device to be able to communicate with it. The serial number was only six digits long, and Radcliffe was able to write a computer program that simply cycled through possible numbers to find the correct one for a device he wanted to target.

In 2008, researchers at the Medical Device Security Center, in Amherst, Massachusetts, showed that pacemakers and defibrillators could be hacked wirelessly as well, allowing an attacker to, for example, send a fatal shock to a patient using an implanted cardiac defibrillator or simply stop the defibrillator altogether.

One possible fix suggested by Radcliffe and others would be to encrypt the communication to wireless medical devices so that an attacker couldn’t sniff the data and learn the commands needed to control the device. Another fix would be to ensure that the devices can only receive commands and software updates from an authorized source so that an attacker couldn’t communicate with the device.

Last August, after Radcliffe’s presentation, members of the House Energy and Commerce Committee called on the Government Accountability Office to investigate the security of wireless medical devices. A GAO spokesman told Threat Level on Tuesday that the office expects to release a report on the issue in July.