The U.S. Food and Drug Administration wants to help security researchers push medical device makers to proactively address flaws in their hardware and software. With the impending internet of things on the horizon this is a proactive move to nip a looming problem in the bud.
Jay Radcliffe, a senior security analyst at InGuardians discovered a software bug in his insulin pump 2 years ago. The bug could allow hackers to remotely control his device and potentially endanger his life. The manufacturer, Medtronic Inc., never responded to the private disclosure of his findings, which led to his decision to disclose his findings publicly at a hacker conference. The decision was met with some controversy as a blueprint was essentially laid out for the an attack exploiting the vulnerability.
It's precisely this type of situation that the FDA may be hoping to prevent by offering their clout to researchers that have found vulnerabilities. A move intended to help motivate manufacturers to respond to and remediate flaws in their devices. These days Radcliffe has discovered a new concerning vulnerability in yet another insulin pump, this time made by Animas Corp., and he plans on presenting what he's found next week at the Black Hat conference. He says the FDA was a great help in initiating a high level discussion with the manufacturer but eventually the parties disagreed on the severity of the flaw.
Regardless of the outcome of this particular case, this quote from Racliffe nicely sums up the present thinking in medical device security; "It's not hard to see where the technology is going," he said. "It's not just about the vulnerability in the one implantable device the researcher was able to get into. We're headed to interconnectedness, to connected health care."
Read more on this topic at;