The cyber security of connected medical devices, notoriously poor for decades, could finally start to improve.
The June 6 announcement by the federal Food and Drug Administration (FDA) on a change in the premarket certification process of devices was low-key—11 pages of dense bureaucratese buried within tens of thousands of pages in the Federal Register.
But the implications of the FDA’s adoption of UL 2900-2-1 as a “consensus standard” are enormous, both for device manufacturers and for patients.
UL—formerly Underwriters Laboratories—is an independent third-party assessment firm that has certified consumer product safety for more than a century.
And UL 2900-2-1, which is part of a series of documents referred to as 2900, was developed over a number of years with input from multiple stakeholders, including Synopsys, and approved by the American National Standards Institute (ANSI), calls for “structured penetration testing, evaluation of product source code, and analysis of software bill of materials,” among other things.
That’s the kind of testing and analysis that security experts have been pushing for more than a decade, including static analysis, software composition analysis (SCA), dynamic application security testing (DAST), and interactive application security testing (IAST).
The standard provides “a tool for healthcare technology manufacturers to demonstrate, via objective test-based evidence that good cybersecurity hygiene has been exercised,” said Anura Fernando, principal engineer for Medical Systems Interoperability & Security at UL.
Technically, this UL standard is not a mandate. It is just “guidance.” As Emergo put it in a blog post several weeks after the announcement, “US medical device market applicants may now utilize ANSI UL 2900-2-1 to demonstrate safety of their network-connected devices, accessories and software” (emphasis added).
But the reality is that if device makers want to get their products through what has always been a laborious FDA pre-market approval process intended to ensure patient safety, the new standard might as well be mandatory. While it doesn’t spell out exactly how testing must be done or what tools must be used, the clear message is that failing to do it will keep your product off the shelves.
Indeed, one of the key items on the FDA’s Medical Device Safety Action Plan, published just three months ago, was to “update the premarket guidance on medical device cybersecurity to better protect against moderate risks (such as ransomware campaigns that could disrupt clinical operations and delay patient care) and major risks (such as exploiting a vulnerability that enables a remote, multi-patient, catastrophic attack).”
Chris Clark, principal security engineer with the Synopsys Software Integrity Group, said the UL 2900 standard is the first FDA guidance to “provide specific criteria that must be met in order to achieve certification. Basically, this provides the industry a check and balance to help ensure risk outcomes are checked by cyber security–focused testing.”
The need for massive improvement has been obvious for some time. Put the phrase “medical device hacks” into any search engine, and you’ll get more than 10 million hits.
Not that the number of hits reflects actual incidents, but it demonstrates the severity of the threat.
The past decade is littered with headlines about vulnerabilities in devices that were never intended to be connected to the internet, as noted in June 2017 by the Health Care Industry Cybersecurity Task Force’s Report on Improving Cybersecurity in the Health Care Industry.
Among those headlines:
While that list could be much longer, the somewhat good news is that hospital officials say there have been no documented attacks on individual patients through connected medical devices.
But that, of course, is somewhat offset by the overall damage from ransomware attacks on hospitals, like the attack on Hollywood Presbyterian Medical Center in 2016 and the infamous WannaCry ransomware that disrupted hospital operations in the United States and throughout the world in May 2017. While those were not aimed specifically at devices, they affected patient care.
Beyond that was a report published a year ago by Ponemon titled Medical Device Security: An Industry Under Attack and Unprepared to Defend, which noted that “only 17% of device makers and 15% of healthcare delivery organizations (HDO) are taking significant steps to prevent attacks. Further, only 22% of HDOs say their organizations have an incident response plan in place in the event of an attack on vulnerable medical devices and 41% of device makers say such a plan is in place.”
The new consensus standard is meant to address problems like that. UL declared in a white paper from April titled Medical Devices and Cybersecurity that “device developers and manufacturers must do more than meet the minimum regulatory requirements in their efforts to protect confidential patient data and to help ensure the safety of patients.”
“Instead, they need to thoroughly evaluate and address the potential cybersecurity risks associated with their products, not just during the product development stage but also throughout the products’ anticipated use lifetime.”
That is a direct reference to the reality that in some cases, it is difficult or even impossible to patch or update software vulnerabilities in those devices.
The recommendations called out in UL 2900-1 include these:
These practices, applied rigorously, would make the cyber security of medical devices vastly better out of the gate. But of course, the reality is that it will likely take a generation—perhaps more—of devices that comply with the standard to really change the world. Many devices now in use are made to last years—in some cases decades.
“This will not be an overnight process,” Clark said. “Even products that are in design may be delayed or ask for waivers.”
And he said it will likely take time for the standard to be refined to address the capabilities and function of devices.
“A prime example is fuzz testing requirements that a device must recover from a malformed injection in two minutes or less,” he said, noting that for some critical systems, that might be far too long. “Parameters for testing might be increased in order to protect the patient.”
Bottom line: “It may be years before the entire industry is up-to-speed,” he said.
But Fernando said while it could take as long as 25 years to replace the medical devices now in use, “a well-informed community could take actions to protect healthcare infrastructure, such as network micro-segmentation and product isolation.”
Which is a major start, and more than could have been said even two months ago.
Taylor Armerding is an award-winning journalist who left the declining field of mainstream newspapers in 2011 to write in the explosively expanding field of information security. He has previously written for CSO Online and the Sophos blog Naked Security. When he’s not writing he hikes, bikes, golfs, and plays bluegrass music.