FDA Guidance on Medical Device Cybersecurity

The Food and Drug Administration has released guidelines regarding the security of medical devices.

I admit that I have not read it.

Posted on October 29, 2014 at 6:40 AM • 25 Comments

Comments

Clive RobinsonOctober 29, 2014 8:24 AM

@ Bruce,

A nice quote for you from the FDA site,

“ There is no such thing as a threat-proof medical device,” said Suzanne Schwartz, M.D., MBA, director of emergency preparedness/operations and medical countermeasures at the FDA’s Center for Devices and Radiological Health. “It is important for medical device manufacturers to remain vigilant about cybersecurity and to appropriately protect patients from those risks.”

wiredogOctober 29, 2014 8:28 AM

Lots of sensible advice that could be applied to more than medical device security.

"security controls should not unreasonably hinder access to a
device intended to be used during an emergency situation."

"Strengthen password protection by avoiding “hardcoded” password or
common words"

This one sounds difficult:
"Implement device features that protect critical functionality, even when the
device’s cybersecurity has been compromised;"

bigmacbearOctober 29, 2014 10:46 AM

@wiredog:

I can imagine this would entail applying some kind of boundaries in the logic such that no matter what kind of authentication is supplied or bypassed, dangerous operations aren't possible. This is indeed difficult as was demonstrated by the Therac-25 incident, but it would be a mistake to say that it's impossible and we shouldn't even attempt it.

Frfed POctober 29, 2014 12:08 PM

While I may quibble with the details, this is far better than the lack of guidance they had prior to this. Forcing documentation of these issues should cause the security of medical devices to improve over time, and noting some common vulnerabilities to look out for doesn't hurt.

Fred POctober 29, 2014 12:12 PM

@bigmacbear

Exactly. Some life-sustaining devices treat everything as an attacker (one example that stands out in my mind treated simple math operations as something that needed validity checking both before and afterwards), and force any invalid values to valid ones.

That said, sometimes the valid values can kill if they're used in the wrong situation.

Clive RobinsonOctober 29, 2014 12:21 PM

@ Wiredog,

This one sounds difficult : "Implement device features that protect critical functionality even when the device’s cybersecurity has been compromised;"

Actually not as difficult as you might think at first. For instance if you limit "critical" to read only operations, you are quite a step along that road. Secondly the trick used by smartphone manufactures, which is to use two or more CPUs where you define a strongly mediated interface between the critical and non critical CPUs. In the case of mobile phones the Smart side CPU communicates with the Network side CPU via the equivalent of a serial interface with extensions to the old Rockwell AT command set. You design such a command set to have all states known and hard limits on string lengths etc. Further you can enhance this by using "signed commands" the manufacturer simply sets up a private CA and signs certificates in all "command" units and puts a copy of the product master PubK in all the actual patient end medical devices.

Thus an attacker would have to obtain a signed certificate from somewhere. Whilst not impossible if the equipment is designed correctly it would be very hard to get one out of a command unit.

Maybe not as higher level of security as you or I might like for our implanted IED or pacemaker but probably more than enough to keep the FDA happy.

Remember there will be a "think of the children" clause somewhere that says something along the lines of "First Responders and ER staff" must be able to access functions to save lives, so the security levels won't be that high or that complicated.

I've mentioned on this blog before the problem of ER departments accessing a myriad of such implanted devices will eventually lead to a common communications standard, what we as security proffessionals should do is aid in the formulation of such protocols to stop inappropriate specifications arising from the engineers and managers. We've already seen what could happen when we look at the history of WiFi and the failings of WEP and later protocols. Oh and as I mentioned just yesterday we must not alow things like security protocols to be "baked in" [1] such that people are walking around with vulnerable equipment in their chest for the rest of their lives.

[1] https://www.schneier.com/blog/archives/2014/10/spritz_a_new_rc.html#c6681640

Though check 'atk's response where s/he point out "baked in" has different meanings to different people. In this case I mean that the code should not be "hard wired in" in a ROM but put in the likes of an EEPROM or Flash Memory such that it can be upgraded over it's expected lifetime of over fifty years.

Nick POctober 29, 2014 12:43 PM

@ Clive Robinson

I'm still sticking to pushing my recommendations on that issue:

1. Use a EEPROM with physical write protect that actually cuts the line off or does the update from a dedicated port after authentication.

2. Use a ROM + Flash pair where the ROM has a high assurance self-check and trusted boot kernel that authenticates what's on Flash. Only flash can change. Only signed code runs. ROM always boots first. Vast majority of attacks can raise an alarm and DOS it at best. Only best attackers have a chance of beating the ROM, too.

My current and future designs use a mix of these options.

FigureitoutOctober 29, 2014 9:24 PM

must not alow things like security protocols to be "baked in" [1] such that people are walking around with vulnerable equipment in their chest for the rest of their lives.
Clive Robinson
--Except that may allow "on the fly" updates that aren't very nice. Reality says there's a fundamental core that is mediating comms anyway, insecure or not, it is what it is. You'd have to replace that anyway if the vulnerability is so bad. There should be no wireless comms in life-or-death devices (if someone is spraying you w/ high power radar or injecting reverse-engineered signals into PCB traces trying to kill you you're already f*cked and should be wearing a shielded jacket or shirt and move out to a rural area, where tiny roads are main sources of humans and can be "tracked"...), and not a lot of people have a "robotic heart" or whatever keeping them alive, unless it's all the baby boomers. Once you have such a device in you, you probably won't make it another 25-50 years...

Remove wireless comms (don't make it easy) and assuming the engineers thoroughly tested (pfft..) a device that is a life-critical...If someone dies from an attack then they need to hear that to understand the gravity of what they're working on (so are all the people who get implanted medical devices going to be ripped up after death to retrieve the device..?). I'll take my non-upgradeable fuse-shorted ROM device over any zigbee/802.11/bluetooth protocol if I ever need such a device.

JP GOctober 29, 2014 9:32 PM

I wear an insulin pump and continuous glucose monitor (previously hacked as seen at Black Hat). I use this information to make real time decisions. I need this information collected and presented for my doctors and me to use.

I need a secure reliable device. Manipulation of my data can kill me and if I am driving, others also. But it must provide me, my doctors, and my parents (if it was my child) usable data to make decisions and prevent issues. (Being dumb, though, is my biggest threat).

We are rapidly moving towards an artificial pancreas (current real world small scale tests, 5-10 years from commercial use in other countries, 10-15 in the US). These are nothing more than a SCADA system. They have:

- Data acquisition from a blood glucose sensor
- real time control of an insulin pump
- Supervisory control that will soon be smartphone based
- Communications over unlicensed wireless for data acquisition
- Remote data collection (soon real time) and presentation via third parties (i.e. open source tidepool.org)

Future
- Additional data inputs such as FitBit or iWatch
- Additional control point for glucagon pump
- Integration with iHealth and other similar tools

This guidance does nothing to address a multi-vendor SCADA system necessary for human life safety operating in an open uncontrolled environment. At least a SCADA system should be behind a firewall.

It is only guidance aimed at individual actors. As such, it may meet a myopic FDA perceived need but does absolutely nothing to address real world needs. They need to start considering what has failed in the other systems and set standards that prevent repeating these failures as the consequences are high.

They completely overlooked privacy. We will soon be in a position that if an insurance company is paying for the device and supplies, they will demand access to your data. I trust my doctor, not my insurer to make good decisions for me.

FigureitoutOctober 29, 2014 10:48 PM

Supervisory control that will soon be smartphone based
JP G
--Omg...DON'T let that happen. Separate isolated module! It can be done! For not too obscene price.

This was the other main area I was going to say, diabetes, my last living grandmother has survived for something like 30+ years w/ it, Type II though, so just pin pricking...I don't want to even think about the glucose meters being corrupted giving false readings...And I work close to a company that makes $$billions on diabetes products; this is the other big group of people really affected by this (ignoring all technology in every other doctor office...not even funny).

Additional data inputs such as FitBit or iWatch
--*Sigh*...how about an iDie one? These fruity apps and java-based crude is not secure; all the applications are cool (when they work reliably..) but not secure. Any wifi/bluetooth device w/ storage going around possibly 100+ open wifi networks and countless devices means potential malware storage. Routers receive updates that flash the NVRAM over the internet. Can't underestimate this malware and it's kind of hard to really analyze a binary file, gets down to the core...

To not scare you too much, you're probably fine; I would let your doctor know that you're concerned about the security of these devices. If they hear that enough, maybe they can talk to the sales people selling these devices and move it up to the business making these.

Nick POctober 29, 2014 11:22 PM

@ JPG

They can make such a device secure, except for the smartphone part as Figureitout mentioned. The trick is probably to make the chips hardware instead of software. There's already systems that can synthesize and verify hardware circuits from high level specifications. There's event plugins for systems like LabView that have many more experienced users than pure hardware tools. So, they'll come up with the functionality, specify it, generate the circuits, test the crap out of them, and print a chip. They should also test for issues with radiation or RF waves hitting the chip.

Far as monitoring, a hardware data diode of sort can connect the thing to an antenna or something. That prevents data from coming inside the device from untrusted sources. Then, you said it needs external control. This leads to a simple guard. Data can go out freely over the diode. Incoming data gets authenticated per packet or signal via a circuit. Each device might have a built-in key (eg antifuse tech) and the device that controls it also has that key. It only has functionality to talk to the medical implant, blocking anything else by default.

So, there's a start on your requirements. All that fancy integrated stuff will just give them a way to kill you, though. Sad part is, if it shows up en masse, it will probably be the market (i.e. patients) that demanded all those convenient deathtraps (err features).

JPOctober 29, 2014 11:47 PM

@Nick
The capabilities are needed by some, not just wanted. An appropriately designed data presentation layer on a phone is a good thing. Decision support is important, especially when I have to act as my own pancreas. When I started carefully monitoring and using the tools, I significantly improved my control. The medical companies can't do it themselves. Open source and competitive markets will speed up the progress immensely and I support it. We have to do it right.


@FigureItOut
Real world artificial pancreas is coming. Working systems have been demonstrated. Big bucks are being spent on it. We have to do it right. Fortunately, it is not an implanted device such as in the earlier discussion. Some sources showing what is being done today.

Smartphone control is one step beyond these devices. They have remote control capability and that is how the BlackHat hack was possible. It was a design issue. Fortunately, it is extremely difficult and you have to be relatively close.

www.medtronicdiabetes.com/treatment-and-products/mysentry-remote-glucose-monitor
www.massdevice.com/news/diabetes-dexcom-wins-fda-nod-smart-remote-glucose-monitor
dexcom.com/apps


Smartphone artificial pancreas demonstrated to work (takes away the remote requirement). However, too much liability for actually running the software on a phone so a pump CPU for direct control would be used in at least the U.S. (I think). It is still capable of being used as a supervisory control point.

care.diabetesjournals.org/content/36/7/1851.short


I should have said FitBit and iWatch style device - not actually the cheap commercial stuff. But it is the same idea. Medical grade devices rather than off the shelf hardware would be used.

DMITRI at dial.ucsd.edu/what-we-do.php


FDA to permit (more accurately not enforce restrictions) on remote data storage and result presentation for non medical use. Note this will allow the ability to cross correlate the actual Fitbits and iWatches very appropriately for later data analysis.

www.fda.gov/downloads/MedicalDevices/DeviceRegulationandGuidance/GuidanceDocuments/UCM401996.pdf


The big picture is that it will happen. And it will happen for good reason. We need to ensure security is designed in and not bolted on. This guidance is leading us towards bolting it on later.

Note this is not my day job in cyber security. I use this in my graduate research work outside of cyber security.

Joe

Clive RobinsonOctober 30, 2014 4:10 AM

@ Figureitout,

... not a lot of people have a "robotic heart" or whatever keeping them alive, unless it's all the baby boomers. Once you have such a device in you, you probably won't make it another 25-50 years...

In the US it's a lot lot more people than you would think.

I usex to be involved with the design of medical electronics so it's something that I have an interest in, I've also a lady friend who's profession is cardiology, so I get to read quite a bit of what you might describe as the "trade" and "association" journals including JAMA.

If you read between the lines one of the peculiarities of the US medical trade becomes highlighted, and that is it's "liability" lead via insurance companies. This has the effect of very fast machine based diagnosis rather than the more considered approach you find in other Western countries. Which is great for common diagnosis but not so good for the less common or rare conditions.

As part of this the insurance companies see the cost of fitting an electronic box in your chest as a cheaper and more longterm profitable way to do business. Because the box is in effect your own personal "liability reduction" diagnostic tool, and the cost of fitting is regained from premiums in around five years, and the longer you live healty after that the more profit they make from the increased premiums.

Thus fitting these devices is now very common in the US, even when there is no real medical requirment for them... which means effectivly quite healthy early middle aged economicaly productive people are being fitted with them "just in case". Thus the life expectancy after fitting is a lot lot higher in the US than it is else where, especialy when many also act as though it's a "death knell" wake up call and make major life style changes (it's been only half heartedly joked that "fitting one is the best way to make many stop smoking and get a little excercise").

So with white middle class life expectancy rising at about one year in every five lived, living to one hundred is becoming more the norm, so are longer working lives. So if your insurance company says fit the box when you are only 35 then you are looking at 65 or more years of it in your chest...

And this is a problem in of it's self because we don't make electronics to last that long except in exceptional cases ccurrently. The worst offending components being energy storage devices such as batteries and capacitors.

However both of which can have MTTF figures measured in longer time intervals than many crypto algorithms...

I can see a time when conventional autopsies won't be required except in unusual circumstances, because we will all have little electronic boxes in our chests or other places that will have a record of all the electro chemical changes leading up to our deaths that can be read out, just like the serial number of the chip in your dog... Which also means that it won't be very long before it appears in a "Perry Mason" type story, where it's discovered that some bug in the software has enabled a murderer to make the victims death look natural...

vas pupOctober 30, 2014 4:05 PM

@Clive:
Thank you for the links provided.
Q: Who is going to assign seal of approval for those device related to subject matter?
Clive, I just get idea. Google + is currently highly involved in medical related technologies. May be those guys could create such testing/certification independent authority under their 'roof'?

Phil ColeOctober 31, 2014 12:53 AM

It will be interesting to see how this affects the industry. Overly specific instructions would be useless (are we talking about an implanted pacemaker? An ECG acquisition system that connects via USB and runs on a windows PC? A control workstation for a diagnostic x-ray system? a cloud based clinical information system? all of these are medical devices covered by the FDA) so I don't think the generality of it is a bad thing.

To speak to some specific comments, in the case of wireless control of an implantable device (pacemaker or insulin pump) think of it from the perspective of the device developers - the infection control risks that are eliminated by the absence of a physical interface are significant (likelihood of infection - very high, impact of infection - extended hospital visit and/or patient death). Contrast this with the (unpublished at the time of development, probably 3-5 years prior to disclosure) risk of malicious, targeted attack over an uncommon wireless channel, you can understand how one would be prioritised over the other. Not to say that security of controls isn't important, but in the context of other risks it can be easily relegated to a much lower relative risk. Hopefully this will help bring about change quicker.

SixSixSixOctober 31, 2014 12:59 AM

This debates overlooks the severe damage that the Robert's Court of Supreme Corporate Interests did to medical device safety and security, and to hope for serious reform of medical devices. For all approved Class III devices no matter how incompetent the engineering nor how grossly negligent the manufacturing no America citizen has rights to sue in court - access has been slammed shut by the five Supreme corporate lawyers in black robes. Medical device manufacturers have zero liability once approved upon initial inspection by the FDA.

The legal system which might be hoped to restore balance or promote improvement has been 100% disabled for all patients in America, whether citizens or not come to think of it. That corrective mechanism is totally disabled. American Exceptionalism at its worst no doubt, but also the result of years of big money "tort reform", more accurately tort deform. Except of course for the medical device corporations themselves. They can sue the hell out of each other for intellectual property infringement and still pretend constitutional law operates just like in the old days. They can even claim that your medical data is their proprietary information. Yes, wanting to know what happened inside of you can be a copy right infringement - a DCMA violation. Bet you thought only music hackers would a risk - nope so are you if you get too nosy about what about that device inside of you.

I had a St Jude Internal Cardiac Defibrillator (ICD) for nine hellish years until I had it remove because in the entire time of serious arrhythmia the only thing that nearly killed me was the device itself. The design was defective and unsafe in the presence of non-lethal arrhythmia. The FDA MAUDE Database has ample entries of death by ICD malfunction. The magnetic suppression feature for surgery and first responders used a Reid switch known to be unreliable in the continuous process control industry (the heart is a gloried pump, a biological one, but a pump nonetheless and an ICD is a low grade digital continuous process controller.) The manufacturing was grossly negligent. In the (bio) chemically active environment of the blood stream they put critical wiring inside of silicon coated cabling, something the industrial process control industry knows not to do. The basic engineering of the device was below far below the standards expected to operate a power plant or even your car for that matter (which has dozens and dozens of such devices). But control device manufactures who mess up a power plant or your car can be sued, especially if their devices cause injury and death.

Consider basic safety. It is a first principle of the controls industry to build fail fast/hard systems. If a device internally or another device monitoring it detects inconsistency indicative of failure the device should shut down rather to continue to send out what might be very dangerous control signals. Ideally a higher control layer should be informed that might be able to mitigate the situation, but failing components should shut down. Not in the St Jude ICD design world. When I requested that feature of the company they flat out refused. This despite making the worst lead ever on the market, one that wore out and then shorted out leading to uncontrolled shocks at 36 joules straight into the side wall of my heart. The Reid switch to inhibit the shocks also failed intermittently which isn't all that surprising because those reports show up in the FDA MAUDE database as. Oh, so what St Jude management says, we made the financial targets to humor the hedge fund managers that quarter. We sure don't want to get them irate, after all they have the right and money to sue us. No disabling access to the courts ever for the hedge fund managers.

We will skip over the terrorizing aspect of having technology in you running amuck with serious possibility of mortality; incidentally the shocks are also quite painful and run straight up vagus nerve into the brain where they act as unsolicited electro-shock therapies. Because the signals are out of phase, the shocks delivered have heighten probability of inducing the very fatal arrhythmia they were supposedly designed to mitigate. St Jude would rather kill you with shock after shock after shock than admit their device was failing. As a compromised I asked for a parameter to limit the number of shocks over a unit of time. Nope they were going to shock until death no matter what - especially if one their defectively designed and manufactured leads had made the senor signal into a channel of near pure noise. Truly these designer will bomb a village to save it and the Supreme Court of Injustice will reward them for it.

Now think how odd it is to be OK for a medical device to harm, terrify, get needlessly hijacked, or kill you. No consequence, even less than the Big Banks after 2008. Well, about the same actually. But if an automotive or aircraft manufacture does that or an industrial process control company blows up a chemical plant - big penalties. All of this pampering of medical device companies is justified in the name of "innovation". But the medical device field shows one the very least rates of innovation among all electronics market segments, far behind other applications such as cell phones and even automobiles. If drones advanced at the rate of medical devices, we would just be getting to those new-fangled joy stick analog radio controlled model airplanes with "advanced" 1966 era Cox 0.49 engines. Ideological abuse of the law can have deadly consequences, but that is the current environment.

The implication for security is severe. There is no conceivable reason for medical device manufacturers to care about security. If they make it perfectly easy for hackers to control your device to torture (very, very easy) or kill you (likewise easily done) they have no responsibility whatsoever. They just have to mumble a few lines on an FDA application reviewed by people who know little to nothing about digital security, and all is golden. Expect America to continue to be exceptional - the furthest behind of any major country because frankly there is no reason to sweat it in the device manufacturing industry here. The rest is just hot air, posturing, and mostly denial.

Clive RobinsonOctober 31, 2014 5:30 AM

@ SixSixSix,

Expect America to continue to be exceptional - the furthest behind of any major country because frankly there is no reason to sweat it in the device manufacturing industry here. The rest is just hot air, posturing, and mostly denial.

Welcome to the "Brave New World" of the neo-liberal "free market".

The sad thing is history shows us via the likes of other "standard interfaces" a flexible design done well though --supposedly-- initialy more expensive --than done badly-- will fairly quickly give rise to a much more profitable and sustainable market place.

But as you note, that does not fit in with Venture Angeles "rape and run" ethos, which is about the only shorter term policy, than those espoused by numpty politicos grabing a headline out of others misfortune and misery.

Sadly as I know they undercut more sensible research (I used to design in Med Electronics) and the next jolly wheeze is via the likes of the TTP treaties and their hidden clauses... where as the Australians found US Companies can get sensible health care systems be in effect judged illigal by US selected lawyers and demand the sorts of compensation patent trolls can only dream of in their wildest fantasy...

vas pupOctober 31, 2014 3:51 PM

Security by redundancy:
http://www.bbc.com/news/science-environment-29758872
Yeah, it is always good to have two 50Wt bulbs rather than one 100Wt. When one bulb going out you still have some light (former), or no light (latter). You may think about that as "all eggs in one basket case" as well - question of taste. I guess have two part time employees is more reliable than one full time (no moral aspect considered) to provide viability of service. Same idea: one employee is sick, at least partial service provided by the second one, and you could provide overtime payment incentive for the active employee. Any reasonable (not moral based) critics appreciated.

FigureitoutOctober 31, 2014 10:21 PM

JP
Real world artificial pancreas is coming.
--That's...awesome! What isn't awesome is the current deplorable, absolutely SHAMEFUL state of electronic supply chain and essentially unknown manufacturing origins due to low cost (and high cost of machines now necessary to put these circuits together). Cheap sh*t from China could either be a steal or a scam. When these boards fail (or you get brand new fabbed boards that are fails from the start), aside from basic multimeter testing, you're screwed; for one board am I going to spend my time meticuously desoldering and testing every component w/ a 'scope? Hell no, I got other projects that needed to be done yesterday. Now add in RF, uhh there's complexity w/ that (knowing the protocols and circuits you can absolutely glitch it and cause all kinds of weirdness of course); and if they have to get such a small board, the TX/RX may depend on one or two transistors...

Clive Robinson
I usex
--First off, uhh, please don't sex me. Me no sex u lol. Admittedly I don't have that data; assuming you don't have actual numbers either.

One more thing to leave the reader w/ a little something to chew on (**WARNING** Slightly disturbing pictures, protruding objects under skin): http://grindhousewetware.blogspot.ca/2014/03/grinding-high-stakes-endeavor.html

Notice the LiPo battery about to explode, that would be nice under your skin, battery acid in your veins. They tested the battery and it was a massive failure, and yet they still put it in their arm. Oh and bluetooth to relay semi-worthless info and wireless charging, great. F*cking no, just no. Self-mutilation.

SixSixSix
--Horrifying...

Clive RobinsonNovember 1, 2014 4:25 AM

@ Figureitout,

--First off, uhh, please don't sex me. Me no sex u lol.

As I've said befor it's a careless touch problem, that arises with having a large member and the close proximity of the items I wish to poke with it [1].

That is on this mobile phone touch screen the D key is above the X key and thus it should have been "I used".

As for figures which ones? The number and trend of implanting or the MTTF on batteries and capacitors. The numbers and trends are given in some of the journal articles where cardiology doctors (not surgeons) have started to get worried about it. The MTTF figures --if you can believe them-- are to be found in the component data sheets.

However as you have found on your internet search, components can have their MTTF criticaly effected by other components and/or functioning of the system.

I often think that people who willingly make holes in their bodies and then put unknown foreign objects/substances in to be verging on the edge of insanity. It's why I don't have any "tats or piercings" and definatly no "cosmetic surgery" and I'm absolutely amazed about what people will do for "body image" including having some unqualified hair dresser injecting tire sealent into their buttocks in the kitchen. Or how about having parties to inject the most leathal and expensive nurotoxin there is that occures naturally (botox) again by medically unqualified people...

At least the "Grinders" were trying to move forward their knowledge, in what they considered to be a fairly safe way, till they found out that sometimes thorough testing can save you a lot of pain...

[1] I wonder if that sentance will trip the "naughty talk" filter some where and get the NSA/GCHQ droids rushing to read it. If it does are they going to be disapointed, they'll probably put us both on the no fly list out of revenge ;-)

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of IBM Resilient.