The Security Scrutinizer with Howard Anderson

GAO to Analyze Medical Device Security

Members of Congress Ask for Study of Risks

For too long, the potential security risks involved in using medical devices have received scant attention. So we're pleased that two members of Congress have asked the Government Accountability Office to study whether federal regulators are adequately addressing the security risks involved in using wireless medical devices.

Reps. Anna Eshoo, D-Calif., and Edward Markey, D-Mass., requested the GAO study after reading media reports about a security professional "who claimed he was able to reprogram his wireless insulin pump so it could respond to deliver insulin from a stranger's remote control," their letter to the GAO notes.

According to multiple media reports, Jay Radcliffe, a diabetic who experimented on his own equipment, identified flaws that could allow an attacker to remotely control insulin pumps and alter the readouts of blood-sugar monitors. As a result, diabetics could get too much or too little insulin.

'Sheer Terror'

"My initial reaction was that this was really cool from a technical perspective," Radcliffe told the Associated Press. "The second reaction was one of maybe sheer terror, to know that there's no security around the devices, which are a very active part of keeping me alive."

Medical device makers downplay the threat, arguing that the demonstrated attacks by Radcliffe and others have been performed by skilled security researchers and are unlikely to occur in the real world, AP reports. Nevertheless, the two members of Congress think the issue is worth investigating. And we wholeheartedly agree.

In their Aug. 15 letter to the GAO, the representatives noted: "It's important that [medical] devices operate in a safe, reliable and secure manner." They requested a report to determine the extent that the Federal Communications Commission, which governs radio devices, is:

  • Identifying the challenges and risks posed by the proliferation of medical implants and other devices that make use of broadband and wireless technology;
  • Taking steps to improve the efficiency of the regulatory processes applicable to broadband- and wireless-enabled medical devices;
  • Ensuring wireless-enabled medical devices will not cause harmful interference to other equipment;
  • Overseeing such devices to ensure they are safe, reliable and secure;
  • Coordinating its activities with the Food and Drug Administration, which regulates medical devices.
  • Speaking of the FDA, Bakul Patel, policy adviser for the FDA's Center for Devices and Radiological Health, said in May during a panel discussion on medical device safety: "The risk is growing exponentially with the convergence of medical devices and wireless technologies." But the FDA has no information directly tying any patient safety cases to security issues for medical devices, he added (see: Medical Device Security Raises Concerns).

    The FDA is taking a close look at the issue of medical device security, Patel told me at the May conference. "I can't tell you what policies we are considering or what's in the works," he said. "But we are interested in this area." He also called for the development of standards for medical device security. And he pointed out that the FDA has issued reminders about its cybersecurity guidance for medical devices.

    In another effort, the FDA will host a public workshop Sept. 12-13 to discuss issues related to potentially regulating certain mobile medical applications (see: Regulating Mobile Apps: FDA Seeks Input).

    Best Practices

    As we reported earlier, a new consortium is launching an ambitious effort to pinpoint best practices for protecting medical devices from malware threats and other security risks. The Medical Device Innovation, Safety and Security Consortium was formed because of the growing number of medical devices linked to networks and the growing risk of malicious hacking and malware, said Dale Nordenberg, M.D., founder.

    Among the leaders of the consortium are the Department of Veterans Affairs, which has launched an ambitious medical device protection program, and Kaiser Permanente.

    Plus, researchers at Massachusetts Institute of Technology and the University of Massachusetts, Amherst, are conducting timely research on how to protect wireless implantable medical devices (see: Could Your Pacemaker Be Hacked?). The researchers are attempting to develop a transmitter called a "shield" to protect wireless communication to and from implantable devices. The shield, perhaps worn as a necklace, would encrypt unauthorized messages coming in so that the device cannot read them. So far, early experiments with the technology have been confined to the laboratory, and no tests on humans have been conducted.

    We're hopeful that all these various projects will lead to ramped-up efforts to protect medical devices before someone is seriously injured or killed by a devious hacker.



    About the Author

    Howard Anderson

    Howard Anderson

    Former News Editor, ISMG

    Anderson was news editor of Information Security Media Group and founding editor of HealthcareInfoSecurity and DataBreachToday. He has more than 40 years of journalism experience, with a focus on healthcare information technology issues. Before launching HealthcareInfoSecurity, he served as founding editor of Health Data Management magazine, where he worked for 17 years, and he served in leadership roles at several other healthcare magazines and newspapers.




    Around the Network

    Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing inforisktoday.com, you agree to our use of cookies.