One burgeoning sphere of the Internet of Things is medical devices. From remote monitoring to 3D printing capabilities of living tissue the health care market is growing.
But so are the cybersecurity risks, which is why the Department of Homeland Security and Food and Drug Administration have teamed up to implement a new framework for greater coordination and cooperation. Chris Butera, deputy director for cyber threat detection and analysis at the National Cybersecurity and Communications Integration Center, said a recent memorandum of understanding was meant to formalize that partnership.
“DHS and FDA have been working together for a number of years on coordinated vulnerability disclosure for medical devices, and what this memo really states is really formalizing the agreement that we have between FDA and DHS and how we’ve worked together over the past few years,” Butera said on Federal Monthly Insights — Security Month. “And with the kind of rising number of vulnerability submissions, we thought it was important to kind of formalize this and elevate the importance of this mission.”
DHS’ role is in the vulnerability coordination process, Butera said. The agency sponsors the common vulnerabilities exposures index program, run by Mitre, as well as sponsors and runs the National Vulnerability Database at the National Institute of Standards and Technology. In addition, sponsors actually coordinated disclosure specifically for IT vulnerabilities.
“In 2018 we coordinated over 14,000 IT vulnerabilities,” Butera said on Federal Drive with Tom Temin. “And we also do lot of work in the industrial control systems and medical device space, which we kind of lump together because they impact the health and safety of American citizens, where vulnerabilities being exploited in those systems could have some grave consequences.”
This year, DHS did coordinated vulnerability disclosure of 800 industrial control systems vulnerabilities and 37 medical device vulnerabilities, the latter number doubling from 2017.
Suzanne Schwartz, associate director for science and strategic partnerships at FDA, said it is important to recognize that today’s medical devices are not standalone boxes. In order to provide advances in care, they must be interconnected and in communication with one another. That presents a range of security challenges.
Some examples included MRI machines, ultrasounds, cardiac monitors, and even implanted devices such as pacemakers, insulin pumps and neuromodulators for pain. It can be difficult to know where to start when identifying vulnerabilities in medical devices, but Schwartz said FDA and DHS find themselves addressing issues brought to their attention by security researchers. But she also said it was a critical responsibility of manufacturers to be more proactive around monitoring devices and managing devices’ vulnerabilities throughout their lifetimes.
Whether inside or outside the body, devices come from a variety of manufacturers big and small — another risk area, Schwartz said.
“I think that the diversity or the heterogeneity that we see within the industry in and of itself represents one of the challenges, in that you’ve got multinational firms that produce the large equipment that also are in other industry verticals and so they are very mature with respect to security or understand security,” she said. “And yet at the same time you have some very, very highly innovative start-ups where when you think about the resources alone that that manufacturer may have they’re going to be far more scarce with respect to being able to address security.”