Medical device manufacturers now have to take responsibility for cybersecurity throughout the device's lifecyc...
The Food and Drug Administration (FDA) this week issued a new medical device cybersecurity guidance for manufacturers amid growing concerns about hackable medical systems. This post-market guidance is an addition to previous FDA premarket guidance from October 2014 and an internet-of-things-specific guidance from January 2016, and it outlines the steps manufacturers should take when it comes to medical device cybersecurity.
"Today's post-market guidance recognizes today's reality -- cybersecurity threats are real, ever-present and continuously changing," wrote Suzanne Schwartz, director of the FDA's emergency preparedness/operations and medical countermeasures, in an blog post. "In fact, hospital networks experience constant attempts of intrusion and attack, which can pose a threat to patient safety. And as hackers become more sophisticated, these cybersecurity risks will evolve."
To combat the evolving risks to medical device cybersecurity, the FDA recommends manufacturers have a way to monitor and detect security vulnerabilities in devices, be able to analyze and understand the risks the vulnerabilities pose, have a coordinated vulnerability disclosure policy that effectively communicates information about vulnerabilities, and have a way to deploy mitigations to the vulnerabilities in a timely manner.
"This approach enables manufacturers to focus on continuous quality improvement, which is essential to ensuring the safety and effectiveness of medical devices at all stages in the device's lifecycle," Schwartz wrote.
The FDA guidance also emphasizes the importance of manufacturers following the National Institute of Standards and Technology core principles for improving critical infrastructure cybersecurity.
"It is only through application of these guiding principles," Schwartz wrote, "executed alongside best practices, such as coordinated vulnerability disclosure, that will allow us all to navigate this uncharted territory of evolving risks to device security."
In other news
- After months of public and private warnings, President Barack Obama announced the United States' responses to Russia's malicious cyber operations aimed at the U.S. election. "All Americans should be alarmed by Russia's actions," the president's statement read. "In October, my administration publicized our assessment that Russia took actions intended to interfere with the U.S. election process. These data theft and disclosure activities could only have been directed by the highest levels of the Russian government." Obama sanctioned the Russian intelligence services GRU and FSB, four individual officers and three companies that supported the Russian cyberactivity. The president declared 35 Russian intelligence agents persona non grata, giving them 72 hours to leave the country and shut down two Russian compounds in Maryland and New York used for intelligence-related purposes. The FBI and the Department of Homeland Security also published a report detailing declassified technical information about the Russian cyberactivity. Other consequences may be forthcoming, but citizens may never learn of them, as the president stated: "These actions are not the sum total of our response to Russia's aggressive activities. We will continue to take a variety of actions at a time and place of our choosing, some of which will not be publicized." The White House plans to provide a report to Congress about Russia's efforts to interfere in the U.S. election, "as well as malicious cyberactivity related to our election cycle in previous elections."
- With many airline booking systems first coded in the 1970s and 1980s still in service, researchers examining the question of whether those systems are secure found the answer is likely, "No." Researchers Karsten Nohl and Nemanja Nikodijevic, both at Security Research Labs, a Berlin-based hacking research collective and consulting think tank, discovered passenger name records (PNRs) can be easily recovered both on and off the internet; the PNRs themselves expose "too much" personal information, including full name, billing address, payment card information and travel itineraries. According to the research, "authentication options range from weak to very weak," and fraudsters can "possibly" steal flights and frequent flier miles can be looted remotely.
- Three new vulnerabilities in the PHP programming language were reported as patched. Check Point Software Technologies announced the details of the potentially serious vulnerabilities well after PHP published patches on Dec. 8. "The first two vulnerabilities allow attackers to take full control over servers, allowing them to do anything they want with the website, from spreading malware to defacing it or stealing customer data," Yannay Livneh of Check Point's Exploit Research Team wrote in a blog post, referring to CVE-2016-7479 and CVE-2016-7480. The last vulnerability, CVE-2016-7478, "generates a denial-of-service attack, which basically hangs the website, exhausts its memory consumption and shuts it down."
Site editor Peter Loshin contributed to this article.
Find out more about securing IoT medical devices
Learn about what IoT medical device security needs to work
Read about past FDA moves in medical device cybersecurity