Medical device security very, very, very, very, very, very, very bad.
The FDA is finally taking action to improve it, as detailed in its newly released Medical Device Safety Action Plan.
They’re proposing the formation of a new public-private partnership called the CyberMed Safety (Expert) Analysis Board (CYMSAB) that will serve as a cross between CERT (who manages critical alerts about computer security risks) and the NTSB (who analyze transportation disasters and issue guidance to prevent them in future). It will be chartered to “assess, assist, and adjudicate coordinated vulnerability disclosures in medical devices” and, possibly, to investigate medical device security breaches.
Also in the plan is a mandate for medical devices to come with a “Software Bill of Materials” that details “how it functions, what software is needed for what feature, and what technologies are used in each device.”
They’re proposing that medical devices should be designed to auto-update themselves with new firmware as it is released. This is a generally very good idea, but there are implementation risks: depending on how the update mechanism is designed, it could be used to force updates (even when network administrators don’t want them), which is very risky — a compromise of the update mechanism could force malware into every instance of a device in the country all at once; an ill-timed update could force a restart during sensitive, potentially lethal procedures.
Also, administrators also may want to stage updates to avoid breaking sensitive/brittle configurations, and they may choose to address potential defects by sandboxing or airgapping devices, rather than by updating them (which may or may not work). A mandatory update mechanism that can’t be overriden by administrators can thus backfire by causing administrators to firewall off their devices from the update server.
Further, the FDA also wants to “update the premarket guidance on medical device cybersecurity to better protect against moderate risks (such as ransomware campaigns that could disrupt clinical operations and delay patient care) and major risks (such as exploiting a vulnerability that enables a remote, multi-patient, catastrophic attack).” This guidance will most likely be added to the FDA’s existing cybersecurity guidelines and recommendations.
Medical Device Safety Action Plan [FDA]
FDA Wants Medical Devices to Have Mandatory Built-In Update Mechanisms [Catalin Cimpanu/Bleeping Computer]
(via Naked Capitalism)