FDA Seeks to Plug Swiss Cheese-size Holes in Medical Device Security Systems
The Internet giveth and the Internet taketh away.
For years, we’ve been hearing about the benefits online tools will bring to the medical industry, especially at hospitals and physicians’ offices. Many of those promises have come true, and its been a benefit for patients and industry.
But that sound you are hearing could be the other shoe dropping.
Perhaps reacting in part to a sobering year-long series by The Washington Post finding big, big holes in medical device security systems, the FDA this week (June 17) issued a new safety communication suggesting the hospitals take this threat to medical devices seriously.
Meantime, the FDA have been busy beavers. Last week the agency issued an alert and notices bulletin advising the industry to shore up key medical device security provisions.
Among its recommendations for responsible medical device manufacturers:
- Kick the tires on your program designed to limit unauthorized device access to trusted users.
- Utilize stronger security controls such as user authentication, user ID and password, smartcard or biometrics; strengthening password protection by avoiding hard-coded passwords and limiting public access to passwords used for technical device access; physical locks; card readers; and guards.
- Use design approaches that maintain a device’s critical functionality, even when security has been compromised, known as “fail-safe modes.”
- Provide methods for retention and recovery after an incident where security has been compromised
No, neither Woodward or Bernstein were involved in The Post piece, but its pretty thorough and damning for the medical device industry nonetheless.
Security analysts at cyber security firm Cylance found it was depressingly easy to figure out hundreds of passwords for sensitive surgical equipment, patient monitors, among others.
“We stopped after we got to 300,” Billy Rios, who found the passwords with his colleague Terry McCorkle, told The Post.
They tell me Swiss cheese holes are the result of bacteria popping (some use a grosser word). I’m no foodie, leaving that to fellow blogger Kim Egan and celebrity chefs, but I do understand that these are “good” holes.
Holes in medical device security programs are not among them.