First: Do No Harm. Second: Keep Others From Doing It.
In the wake of discoveries that some medical devices are vulnerable to remote tampering via the Internet, the U.S. Food and Drug Administration (FDA) issued new guidelines this week that are meant to direct medical device manufacturers in beefing up security. The hope is that we'll never have to read about—or worse, personally experience—death or injury because some malware-infected gadget didn't work the way it should.
The FDA recommendations call for device makers to review their cybersecurity practices and test their products with an eye toward ensuring that their authentication setups can limit access to authorized users only. The guidelines also urge health care facilities to be more vigilant in updating their antivirus software, to set stricter controls on who accesses their networks, and to cooperate with device makers to investigate and fix security breaches.
The FDA says that although no deaths or injuries associated with these vulnerabilities or malfunctions have been reported, the rise in cybercrime makes such an outcome “increasingly likely.” The guidelines, though not legally enforceable, put device makers and medical facilities on notice that they need to step up their efforts to keep diagnostic machines from being taken over by attackers, prevent pacemakers from being reset so that they deliver fatal shocks, and to keep insulin pumps from being tampered with.
The FDA action was prompted by the U.S. Government Accountability Office, which asked it to “develop and implement a plan expanding its focus on information security risks.” It’s about time. Just imagine someone undergoing a surgical procedure where an advanced robot is doing the cutting as proxy for a surgeon in another part of the world. Malware in the system that controls a mechanical arm—or a man-in-the-middle-attack—could be deadly. And even banal mash-ups of technology and medicine could put patients at risk. Computerized drug dispensaries, meant to keep people from receiving the wrong prescription or the wrong dose, could be targets.