Last week the United States Food and Drug Administration took the unprecedented step of recalling a biomedical device following concerns over its lack of cybersecurity. The device in question — a St Jude Medical cardiac rhythm management product or pacemaker to the rest of us — had been successfully hacked in August 2016 at the behest of a financial trading company, Muddy Waters Capital, for stock market gain.
While other medical devices have been discovered to have security vulnerabilities in the past through manufacturer-authorised penetration tests, disclosure to the public has in most cases been played down and withheld until vendors could come up with patches or updates to fix vulnerabilities. Often this has taken multiple months or years to remedy, all the time leaving devices vulnerable should a malicious actor also find the flaw.
This case was different. Not only was the hack unauthorised, but news of the vulnerability was made public immediately without time for the manufacturer to produce a remedy. In fact, the public disclosure of the information appeared to take the vendor by as much surprise as it did the rest of us. No longer was news of a successful hack or security test result going to wait for a vendor to leisurely and quietly fix security vulnerabilities in its products before the public found out.
Ordering a recall marked a major change in direction for the FDA. It also placed medical device manufacturers on their collective back feet and they will need to pivot quickly to respond to future vulnerabilities that catch them by surprise. The onus is now squarely on manufacturers to win the PR war and quickly fix security gaps in their products.
Most importantly, the onus is now on the FDA and manufacturers to proactively get involved in the ongoing testing of all devices, not just those awaiting FDA approvals, in order to avoid the kind of PR disaster the St Jude device resulted in. This is something that manufacturers have staunchly rejected in the past and regulatory bodies like the FDA and Australia’s Therapeutic Goods Administration — which chose not to announce a pacemaker recall but issued a “safety alert” instead — have largely let be.
But the public has now been alerted to the risks that some medical devices can pose and are actively seeking answers.
Not only are recalls very expensive, they damage the brand as well as public confidence in medical device products. Who would want to have a pacemaker installed if they had the slightest doubt the device could be hacked to electrocute them one day? The recall will also likely result in even more expensive class action lawsuits from relatives of those who died while under the support of a similar St Jude device.
The significance of this story is that it marks a major change in the status quo, of the public being reliant upon medical device manufacturers to identify and fix vulnerabilities in the devices they sell and push out the door. St Jude Medical, which was in the process of being purchased by Abbott at the time, was shocked that penetration tester MedSec and Muddy Waters Capital, released the findings of their independent test. As MedSec would later state:
“When MedSec discovered the vulnerabilities, we carefully considered but rejected the traditional approach to disclosure — confronting St Jude. We believed (and still believe) St Jude’s track history in responding to reported problems is poor. In fact, St Jude just recently announced a potentially lethal design defect that may affect up to 350,000 of its users — two years after learning of it, apparently. In my opinion, patients deserve to understand the risks associated with the technologies upon which their health is dependent.”
St Jude sued Muddy Waters and everyone involved in the vulnerability testing, and Muddy Waters and MedSec counter-sued, bringing in independent security consultants Bishop Fox to validate their testing and findings.
Manufacturers have for a long time been accused of hiding behind US legislation including the Digital Millennium Copyright Act (DMCA) or the Computer Fraud and Abuse Act (CFAA) to hush unwelcome security research, and MedSec was quick to point this out in its counter-suit. (The DMCA has since been amended to make it legal for security researchers to conduct their research.)
“When it came to our research, we concluded that a partnership with Muddy Waters was the fastest route to improved product security, improving patient safety and a better understanding of the risks faced by patients,” MedSec claimed.
The reason the FDA finally got involved in this is because it all went very public, very quickly and the public started asking questions. The close relationship between the FDA and manufacturers was being called into question publicly and the FDA’s independence in managing the public interest in this space challenged. The FDA therefore had to do something.
The role of the FDA in protecting the public from cyberattack by medical device obviously needs to change. Manufacturers claim additional scrutiny for security will add further time and costs to the release of new innovative devices. The fact of the matter is that current FDA guidance is just that — ‘guidance’ — and nothing more. Besides, many manufacturers simply ignore that guidance in their rush to take a new product to market quickly.
What is needed is a set of security design standards, perhaps set by the very capable US National Institute of Standards and Technology (NIST) for medical device security. This should necessitate security as a basic design consideration from the outset of all future designs, and should mandate ongoing security testing and patching of devices in the field for the entire 15 to 20 year lifespan of each device. Having independent security standards to work to would allow manufacturers and the FDA to get on the same page, and reduce time-consuming, ad-hoc testing by the FDA, thus speeding up approvals.
One of the major complaints by device manufacturers is the time and cost sucked up waiting for FDA testing and approval before a device can be released to the market. Sometimes this can take up to 10 years from delivery of a production-ready pilot. No wonder vendors rush to get their new systems into the approval pipeline as fast as possible. The current FDA testing process is long, bureaucratic and arcane. It delays and discourages manufacturers from bringing new devices to market that could save or improve lives, and needs to be drastically improved. Government in any country is not renowned for its speed and dynamism, so perhaps longer term, the role for medical device approval needs to reside elsewhere; especially if the public is to be better served with safe and secure medical devices that are not massively out of date the day they become available to the medical community and to patients.
Regardless of how we got to the current position and who is to blame, medical device manufacturers have an obligation and duty of care to provide secure medical devices they design, manufacture and profit from. Many have historically failed to design-in even basic security to their devices. My hope is that the FDA recall causes a rethink of that approach across all medical device manufacturers worldwide. If the MedSec/Muddy Waters—St Jude Medical pen test is repeated on other insecure medical devices, a lot of manufacturers are going to be dealing with their stock being dumped, as well as an unwanted degree of public scrutiny, and expensive recalls.
Richard Staynings is Cisco's Security Principal Director and Global Cybersecurity Healthcare Leader, and a member of the HIMSS Privacy and Security Committee.