Why Aren't There Better Cybersecurity Regulations For Medical Devices?

citadrianne writes with an excerpt from Motherboard about some of the factors behind the long-decried security problems that surround medical hardware, and that will only become more pressing as some long-term treatments become both more portable (in the form of drug pumps, muscle stimulators, etc), more connected to sensors and controllers, and more dependent on software. There is a growing body of research that shows just how defenseless many critical medical devices are to cyberattack. Research over the last couple of years has revealed that hundreds of medical devices use hard-coded passwords. Other devices use default admin passwords, then warn hospitals in the documentation not to change them. A big part of the problem is there are no regulations requiring medical devices to meet minimum cybersecurity standards before going to market. The FDA has issued formal guidelines, but these guidelines "do not establish legally enforceable responsibilities." "In theory you could sell a bunch of medical devices without ever having gone through a security review," the well-known independent medical device security researcher Billy Rios told Motherboard.

CIA triad...in a different order

[xxxJonBoyxxx]

If you work for a typically paper-pushing corporation, the priority on the "CIA triad' (confidentiality, integrity and availability) is usually: C, then A then I. If you work for a utility ("ICS"), it's often A then I then C. And if you work with medical devices, it's definitely I then A and maybe way down the line maybe C, because there's the HIPAA legal hammer to take care of all that. Hardly anyone in this stack understands authentication, but the key with at least the last two is that if someone's trying to use a machine or device and they are standing right next to it, they are assumed to be authorized. Unfortunately, that line of thinking leaks out into web interfaces, telnet and other craziness, and that's why it's all a mess at the moment.