Why Aren't There Better Cybersecurity Regulations For Medical Devices?

citadrianne writes with an excerpt from Motherboard about some of the factors behind the long-decried security problems that surround medical hardware, and that will only become more pressing as some long-term treatments become both more portable (in the form of drug pumps, muscle stimulators, etc), more connected to sensors and controllers, and more dependent on software. There is a growing body of research that shows just how defenseless many critical medical devices are to cyberattack. Research over the last couple of years has revealed that hundreds of medical devices use hard-coded passwords. Other devices use default admin passwords, then warn hospitals in the documentation not to change them. A big part of the problem is there are no regulations requiring medical devices to meet minimum cybersecurity standards before going to market. The FDA has issued formal guidelines, but these guidelines "do not establish legally enforceable responsibilities." "In theory you could sell a bunch of medical devices without ever having gone through a security review," the well-known independent medical device security researcher Billy Rios told Motherboard.

Be careful what you ask for

I am a physician. While I don't implant pacemakers or defibrillators, I do take care of a number of patients who have these devices.

One critical issue here is accessibility of these devices. Suppose someone gets an implantable cardiac defibrillator for a failing heart. If the patient's cardiac status worsens, they device may activate and keep the heart beating. In these circumstances, it's critical that the physicians at the hospital have immediate and unrestricted access to the data on the device. Without this data, the physicians are at a serious disadvantage in trying to keep the patient alive.

To further complicate things, a patient in the midst of a cardiac event may not be able to provide a password. Even if the password is stored somewhere in the medical records, modern electronic record systems are often cumbersome to find such data. For example, if the device was implanted at a different hospital, the records typically have to be printed, faxed and then scanned in order to access the data. Those ridiculous steps translate into delays in care.

The real conundrum is whether a particular security modality is going to save more lives by thwarting hackers that it will cause deaths by delaying medical treatment.