skip to Main Content

US, FDA embraces the work of ethical hackers to secure medical devices

The US Food and Drug Administration (FDA) is embracing the work of ethical hackers to increase the cyber security of medical devices

The US Food and Drug Administration (FDA) is embracing the work of ethical hackers and their researches to secure medical devices. It has been reported by Security Affairs. Ethical hackers have contacted device manufacturers after exposing vulnerabilities in their products. The FDA until now has stayed neutral in the debate about what role those individuals should play exposing weak spots in medical technologies. But, things are changing. The agency reports it’s embracing the work of ethical hackers and using their researches. For example, recently the two cyber security researchers Billy Rios and Jonathan Butts, found a flaw in a Medtronic pacemaker that could let malicious hackers remotely change the settings of the medical device. The FDA and the company issued warnings about the pacemakers. Additionally, Medtronic stopped the device’s periodic Internet-based updates on tens of thousands of units until it comes up with an effective fix for the problem.

The “Medtronic” pacemakers case

The US FDA, continue Security Affairs, was instrumental in making Medtronic respond after hearing about the pacemaker’s security shortages. Butts and Rios disclosed it to the comany in January 2017. But, it took more than a year for it to release security bulletins responding to the identified issues. The company asserted, though, that it wasn’t possible to remotely manipulate the devices. It also said the vulnerability was “controlled,” and not an immediate patient threat. The two ethical hackers continued engaging back and forth with Medtronic for months, then gave their research to the FDA. The agency followed up by doing its own analysis. Ultimately, the FDA said its findings matched the previous investigation, and that statement caused Medtronic to admit the bugs could hurt patients if not patched. The Federal Agency’s involvement made the company’s crucial change in cyber security attitude happen.

FDA: Cyber security researchers have a crucial role to play in revealing medical device issues that could be disastrous if left unchecked

According to Jeff Shuren, director of the FDA’s Center for Devices and Radiological Health, there is a recognition that cyber security researchers have a crucial role to play in revealing medical device issues that could be disastrous if left unchecked. For example, some of the possible ways to manipulate medical devices include making them behave strangely without a patient or caregiver’s knowledge, or causing the gadgets to give incorrect readings that could change a user’s treatment plan. Hacks could also make diagnostic equipment, such as MRI machines, shut down. Speaking to The Washington Post, Shuren mentioned the importance of “proactively cultivating that relationship with the researcher community because they have an integral role to play.” That statement strongly implies the US Agency is taking the side of the cyber security community, comments Security Affairs, by affirming how its researchers could be partners in making medical devices as secure as possible.

The FDA and the DHS signed an agreement to work together more closely, to secure medical devices

The FDA and the US Department of Homeland Security (DHS) have also signed a memorandum of agreement, to work more closely with each other to secure medical devices. The hope is that when vulnerabilities are identified, the teamwork between the two agencies would lead to being able to stay on top of medical technologies, as they change and assisting medical companies with responding to the security weaknesses.

The complete Security Affairs article

The Washington Post article

Back To Top