Tuesday, January 19, 2016

FDA issues draft guidance for updating med device software

This month, the FDA issued a bulletin titled Postmarket Management of Cybersecurity in Medical Devices.  The draft guidelines are 25 pages long and honestly don't contain anything earth shattering for those of us in the infosec profession.
"Severity to health" matrix
Of course the problem is that many medical device manufacturers don't really understand security.  How do I know?  At Rendition Infosec we regularly find crazy misconfigurations on medical devices.  Things like unauthenticated CGI, unauthenticated telnet, web servers running as root, hardcoded passwords, etc.  As basic as these recommendations will seem to infosec professionals, they are sorely needed in the medical device manufacturing market.

Some of my favorite parts of the recommendations include establishing a vulnerability intake process, performing monitoring for information about discovered vulnerabilities to their devices, and adopting a coordinated vulnerability disclosure process.  In working with several medical device manufacturers over the last few years, I have not seen a single one that performs any of these recommendations consistently.

If you don't want to read 25 pages of draft recommendations, here's the TL;DR version:
These programs should emphasize addressing vulnerabilities which may permit the unauthorized access, modification, misuse or denial of use, or the unauthorized use of information that is stored, accessed, or transferred from a medical device to an external recipient, and may impact patient safety. Manufacturers should respond in a timely fashion to address identified vulnerabilities. Critical components of such a program include: 
  • Monitoring cybersecurity information sources for identification and detection of cybersecurity vulnerabilities and risk;
  • Understanding, assessing and detecting presence and impact of a vulnerability; 
  • Establishing and communicating processes for vulnerability intake and handling;
  • Clearly defining essential clinical performance to develop mitigations that protect, respond and recover from the cybersecurity risk;
  • Adopting a coordinated vulnerability disclosure policy and practice; and
  • Deploying mitigations that address cybersecurity risk early and prior to exploitation  
While I generally despise government legislating cybersecurity standards, this is probably a move in the right direction given the reckless handling observed to date with device manufacturers.  Also, don't forget that these are still in draft form.  If you don't like the recommendations, feel like something is missing, or that they have made a horrible error, submit your feedback to the FDA before they are made binding recommendations.

No comments:

Post a Comment

Note: Only a member of this blog may post a comment.