Proactive cyber policies needed to protect patients, agency claims

The abundance of connected devices has heightened security concerns throughout sectors, with threats of potential risks hitting a particularly strong chord in healthcare industries.

Ensuring Internet of Things (IoT) products are secure by design is the answer, says the US Food and Drug Administration (FDA), which has launched a safety action plan for medical smart devices.

It doesn’t take a lot to imagine the devastation that could be caused in this area as hospitals and doctor’s offices alike rely more and more on smart technologies – the WannaCry attack that hit NHS services perhaps being the most prominent example of disaster to date.

Breaches to networks can create havoc to daily operations, and security holes found within individual devices, from pacemakers to defibrillators, are also liable to being targeted by attackers.

Last week the American federal agency – in charge of product standards and trade regulation – released a plan geared towards new medical devices entering the market.

It suggests product safety should be the responsibility of multiple stakeholders at all stages of the tool’s lifecycle, and that patching vulnerabilities should be a top priority.

A so-called “Software Bill of Materials”, the agency noted, should also be established in order for vendors to adhere to a safety protocol before their devices hit the market.

This sort of vulnerability awareness is expected to mitigate risks, the FDA claims.

The formation of a CyberMed Safety Expert Analysis Board will also link the public and private sectors to encourage companies to develop proactive cyber policies.

Commenting on the report, John Pescatore, SANS Institute director, said: “I like the cybersecurity aspects of the FDA’s plan; most of the elements are directly applicable to other Internet of Things vertical areas.

“My one hope is that the medical device industry has Facebook’s security problems top of mind and reacts to FDA’s plan by saying, ‘Let's support this and hold back the political lobbying antibodies’ - better to prevent our CEOs from having to do the Congressional perp walk after a billion-dollar catastrophe.”

William Hugh Murray, IBM InfoSec retiree, added: “Update mechanisms dramatically increase the attack surface.

“For many devices, it may be a better to simply replace it. The bill of materials is a great idea and could be extended to many other products.”

The FDA has previously released guidance on how cybersecurity should be inputted directly into the design of medical devices, and how constant monitoring is crucial to maintain product safety.

The challenge of cybersecurity within the health sector has reportedly been on the FDA’s radar since 2013, with the National Institute of Standards and Technology equally putting forward safety recommendations.

Earlier this month the agency issued a warning regarding a vulnerability found within implantable cardiac defibrillators that attackers could gain access to and control through radio frequencies.

Abbott Laboratories, the makers of the device, issued an update, but noted that there had been no reports of patient safety being compromised.