Why Aren't There Better Cybersecurity Regulations For Medical Devices?

citadrianne writes with an excerpt from Motherboard about some of the factors behind the long-decried security problems that surround medical hardware, and that will only become more pressing as some long-term treatments become both more portable (in the form of drug pumps, muscle stimulators, etc), more connected to sensors and controllers, and more dependent on software. There is a growing body of research that shows just how defenseless many critical medical devices are to cyberattack. Research over the last couple of years has revealed that hundreds of medical devices use hard-coded passwords. Other devices use default admin passwords, then warn hospitals in the documentation not to change them. A big part of the problem is there are no regulations requiring medical devices to meet minimum cybersecurity standards before going to market. The FDA has issued formal guidelines, but these guidelines "do not establish legally enforceable responsibilities." "In theory you could sell a bunch of medical devices without ever having gone through a security review," the well-known independent medical device security researcher Billy Rios told Motherboard.

Be careful what you ask for

I am a physician. While I don't implant pacemakers or defibrillators, I do take care of a number of patients who have these devices.

One critical issue here is accessibility of these devices. Suppose someone gets an implantable cardiac defibrillator for a failing heart. If the patient's cardiac status worsens, they device may activate and keep the heart beating. In these circumstances, it's critical that the physicians at the hospital have immediate and unrestricted access to the data on the device. Without this data, the physicians are at a serious disadvantage in trying to keep the patient alive.

To further complicate things, a patient in the midst of a cardiac event may not be able to provide a password. Even if the password is stored somewhere in the medical records, modern electronic record systems are often cumbersome to find such data. For example, if the device was implanted at a different hospital, the records typically have to be printed, faxed and then scanned in order to access the data. Those ridiculous steps translate into delays in care.

The real conundrum is whether a particular security modality is going to save more lives by thwarting hackers that it will cause deaths by delaying medical treatment.

Re:There is no security in health care.

[tripleevenfall]

What this article is talking about is the vulnerability of BMDI devices, devices that stream data to the EMR or receive data from it. These would include bedside monitors, the pumps used to give infusions, anesthesia carts, etc. It's very important that the data be accurate and not be monkeyed with, obviously,

But if a hospital IT department, which is under resourced because of the declining reimbursement structure in healthcare (every year being asked to treat phenomenally more and more people on less and less funding, and keep facilities up to date, and keep equipment modern and safe, and keep up with all the regulatory changes), decides to make all the device keys "1234", that's not really the architecture's fault.

There are best safe practices in place, which are of course to verify the pump's settings before you turn it on, or make sure the vitals in the record match what you're seeing on the monitor, etc. But there are security vulnerabilities due to human tendencies, that even encryption won't solve.