GAO to Analyze Medical Device SecurityMembers of Congress Ask for Study of Risks
Reps. Anna Eshoo, D-Calif., and Edward Markey, D-Mass., requested the GAO study after reading media reports about a security professional "who claimed he was able to reprogram his wireless insulin pump so it could respond to deliver insulin from a stranger's remote control," their letter to the GAO notes.
According to multiple media reports, Jay Radcliffe, a diabetic who experimented on his own equipment, identified flaws that could allow an attacker to remotely control insulin pumps and alter the readouts of blood-sugar monitors. As a result, diabetics could get too much or too little insulin.
'Sheer Terror'"My initial reaction was that this was really cool from a technical perspective," Radcliffe told the Associated Press. "The second reaction was one of maybe sheer terror, to know that there's no security around the devices, which are a very active part of keeping me alive."
It's important that medical devices operate in a safe, reliable and secure manner.
Medical device makers downplay the threat, arguing that the demonstrated attacks by Radcliffe and others have been performed by skilled security researchers and are unlikely to occur in the real world, AP reports. Nevertheless, the two members of Congress think the issue is worth investigating. And we wholeheartedly agree.
In their Aug. 15 letter to the GAO, the representatives noted: "It's important that [medical] devices operate in a safe, reliable and secure manner." They requested a report to determine the extent that the Federal Communications Commission, which governs radio devices, is:
Speaking of the FDA, Bakul Patel, policy adviser for the FDA's Center for Devices and Radiological Health, said in May during a panel discussion on medical device safety: "The risk is growing exponentially with the convergence of medical devices and wireless technologies." But the FDA has no information directly tying any patient safety cases to security issues for medical devices, he added (see: Medical Device Security Raises Concerns).
The FDA is taking a close look at the issue of medical device security, Patel told me at the May conference. "I can't tell you what policies we are considering or what's in the works," he said. "But we are interested in this area." He also called for the development of standards for medical device security. And he pointed out that the FDA has issued reminders about its cybersecurity guidance for medical devices.
In another effort, the FDA will host a public workshop Sept. 12-13 to discuss issues related to potentially regulating certain mobile medical applications (see: Regulating Mobile Apps: FDA Seeks Input).
Best PracticesAs we reported earlier, a new consortium is launching an ambitious effort to pinpoint best practices for protecting medical devices from malware threats and other security risks. The Medical Device Innovation, Safety and Security Consortium was formed because of the growing number of medical devices linked to networks and the growing risk of malicious hacking and malware, said Dale Nordenberg, M.D., founder.
Among the leaders of the consortium are the Department of Veterans Affairs, which has launched an ambitious medical device protection program, and Kaiser Permanente.
Plus, researchers at Massachusetts Institute of Technology and the University of Massachusetts, Amherst, are conducting timely research on how to protect wireless implantable medical devices (see: Could Your Pacemaker Be Hacked?). The researchers are attempting to develop a transmitter called a "shield" to protect wireless communication to and from implantable devices. The shield, perhaps worn as a necklace, would encrypt unauthorized messages coming in so that the device cannot read them. So far, early experiments with the technology have been confined to the laboratory, and no tests on humans have been conducted.
We're hopeful that all these various projects will lead to ramped-up efforts to protect medical devices before someone is seriously injured or killed by a devious hacker.