The growing use of wireless technology combined with the complexity of many of medical devices has raised concerns about how protected they are against information security risks that could affect their safety and effectiveness.
That was the central conclusion of a report issued today from the Government Accountably Office that called on the Food and Drug Administration, the agency within the Department of Health and Human Services (HHS) that is responsible for ensuring the safety of medical devices such as implantable cardio-defibrillators or insulin pumps, to tighten the security requirements of medical devices.
From the GAO: "Medical devices may have several such vulnerabilities that make them susceptible to unintentional and intentional threats, including untested software and firmware and limited battery life. Information security risks resulting from certain threats and vulnerabilities could affect the safety and effectiveness of medical devices. These risks include unauthorized changes of device settings resulting from a lack of appropriate access controls. Federal officials and experts noted that efforts to mitigate information security risks need to be balanced with the potential adverse effects such efforts could have on devices' performance, including limiting battery life."
The GAO listed a number of specific threats including:
- Limited battery capacity: The limited capacity of batteries used in certain medical devices hinders the possibility of adding security features to the device because such features can require more power than the battery can deliver. The limited battery capacity makes these medical devices susceptible to an attack that would drain the battery and render the device inoperable.
- Remote access: Although remote access is a useful feature of certain medical devices, it could be exploited by a malicious actor, possibly affecting the device's functionality.
- Continuous use of wireless communication: Wireless communication allows medical devices to communicate; however, it could create a point of entry for unauthorized users to modify the device, especially if the wireless communication is continuously enabled.
- Unencrypted data transfer: Unencrypted data transfer is susceptible to manipulation. For example, a malicious actor could access and modify data that are not securely transmitted, affecting patient safety by altering information used in administering therapy.
- Untested software and firmware: Untested software can be vulnerability when there is a security issue in software and firmware that has not been identified and addressed.
- Susceptibility to electromagnetic (e.g., cellular) or other types of unintentional interference: This can cause vulnerabilities that make a device susceptible to unintentional or intentional threats. For example, if these medical devices are not designed with resistance to electromagnetic interference, their functionality can be affected.
- Limited or nonexistent authentication process and authorization procedures: A limited or nonexistent authentication process and authorization procedures could leave certain medical devices susceptible to unauthorized activities, such as changes to the devices' settings. Authentication is the verification of a user's identity-often by requesting some type of information, such as a password-prior to granting access to the device. Authorization is the granting or denying of access rights to a device.
- Disabling of warning mechanisms: Warning mechanisms-such as a vibration or loud tone-could be disabled on certain medical devices. If these mechanisms were disabled, a patient would not be alerted if, for example, unauthorized modifications were made to the device.
- Design based on older technologies: Certain medical devices can be designed using older technologies, such as older versions of software or firmware. Additionally, these devices might not have been designed with security as a key consideration.
- Inability to update or install security patches: The inability to update or install security patches in certain medical devices could prevent identified software defects from being addressed.
According to FDA, most software-related medical device problems occur because devices are using software that has been revised since the it was reviewed by FDA.
The GAO report also noted that addressing information security risks for certain medical devices involves additional safety considerations that are not typically necessary for other types of products. For example, incorporating encryption into the medical device could mitigate the information security risk of unauthorized changes to the settings of the device. However, adding encryption to a device could drain its battery more quickly, making it necessary to change the battery more frequently. Changing the battery for active implantable devices, such as a pacemaker, involves undergoing a surgical procedure, which has its own potential health risks. In contrast, two information security researchers we spoke with said that, in their opinion, technology has advanced such that encryption can be added to a medical device without using as much energy as before.
For its part, the FDA said that "in the future the agency intends to enhance its efforts related to information security. For example, officials said the agency will consider information security risks resulting from intentional threats when reviewing manufacturers' submissions for new devices. Officials said that they will consider whether the manufacturer identified the appropriate information security risks resulting from intentional threats and, if applicable, what proposed mitigation strategies the manufacturer included."
FDA officials also told the GAO that the agency is currently planning to review its approach to evaluating software used in medical devices. Officials said the review of its approach will be conducted by a contractor and will involve an analysis of how the agency considers software in medical devices during premarket reviews.
Check out these other hot stories: