
FDA isn't doing enough to prevent medical device hacking, HHS report says - rbanffy
https://edition.cnn.com/2018/11/01/health/fda-unprepared-medical-device-hacking/index.html
======
zaroth
"Medical Device Hacking" is a large part of how my wife and I slept at night
for the last few years, based on the open source Nightscout [1] project which
interfaced my kids' Dexcom CGMs to our smartphones. Continuous Glucose
Monitors allow T1Ds to track their blood sugar without finger sticks and are
particularly useful at night for catching lows.

The Nightscout project was a strong motivator for Dexcom to push harder on
developing and improving their remote monitoring solution. A solution which
could easily have languished in R&D and FDA approval hell for another 5-10
years got to market much more quickly once users were out there DIY'ing their
own remote monitors.

Additionally there are a lot of "mis-features" that are coded into T1D
products, presumably foisted on companies by the FDA to avoid liability, but
which ultimately are a mild form of torture on end-users day in and day out.
Having an option to turn to open source alternatives when the incessant alarms
which can't be disabled are driving you mad is better than throwing out the
device altogether. For those who haven't used or know anyone who has a pump,
pod, or CGM -- the problem is that the devices are subject to dozens of
variables which impact their performance, reliability, or accuracy, and alarms
are often "lacking context" (to put it mildly) or outright wrong.

E.g. When you've treated a low and double checked with a finger stick that
blood sugar is rising, a siren going off every 5 minutes from the CGM at 4am
is enough to want to remove the CGM and smash it with a hammer.

Having open source alternatives is a large part of, I believe, forcing Dexcom
and even the FDA "to the table" to reconsider hard-coded patient hostile
"features". It's easier to appease the lawyers and go into CYA mode, when
there's isn't a strong open source competitor with 28,000 Facebook followers
and a Github repo with 21,000 forks [2].

[1] - [http://www.nightscout.info/](http://www.nightscout.info/)

[2] - [https://github.com/nightscout/cgm-remote-
monitor/](https://github.com/nightscout/cgm-remote-monitor/)

~~~
speedkills
A large percentage of Dexcom developers have had their lives impacted by
Diabetes in some way. This and plain old competition are the biggest drivers
in their features and usability in my experience. You have to keep in mind
like most businesses they have a long feature pipeline in development that is
not public knowledge. If you release a feature and see it mirrored by someone
else shortly after it's as likely that you both thought of it, and you just
beat them to it than it is that they were inspired by you. Especially when one
of you has a much shorter time to market thanks to no FDA oversight.

~~~
akira2501
> Especially when one of you has a much shorter time to market thanks to no
> FDA oversight.

They're fundamentally different markets, though. The device manufacturer is
out to turn a profit on hardware, the open source programmer is out to improve
their own individual experience.

Why should the second individual be subject to FDA oversight? I mean, I'm glad
the FDA exists, but their function is to regulate the overall market -- not
make it harder for me to make my _own_ healthcare decisions.

~~~
crankylinuxuser
> Why should the second individual be subject to FDA oversight? I mean, I'm
> glad the FDA exists, but their function is to regulate the overall market --
> not make it harder for me to make my _own_ healthcare decisions.

Regulatory capture from the ADA..

Yes, the FDA does make it harder/impossible to treat yourself. You are an
idiot as far as they are concerned. And the doctor is the holy grail of
decisions. And even how they come to a decision is 'holy' knowledge.

I should be able to go down to a drug store and buy most drugs (ideally all,
but another story) and administer them to _myself_. I should be able to treat
myself. But all that's locked away behind one of the biggest paywalls we have
in this country.

~~~
derefr
> Yes, the FDA does make it harder/impossible to treat yourself. You are an
> idiot as far as they are concerned.

FWIW, the FDA doesn't even think about the end-consumer. They're the
government's labelling-standards body. They just care that:

1\. if you sell a product labelled 'X' (e.g. "milk", or "ibuprofen"), then it
should contain only the ingredients—and the concentrations of such—listed in
The Big FDA Book of What Products Labelled 'X' Contain. (This covers both the
"no salmonella" cases, the "you can't call Cheez Whiz 'cheese'" cases, and the
"beef withdrawn from the market for containing more iodine than beef usually
contains" cases.)

2\. if you make up a new product 'X'—really, a new product _label_ 'X'—then
"FDA approval" just means convincing them to add a page to their Big Book. You
have to write that page: you must claim all the expected effects of consuming
an 'X', and exhaustively list all potential side-effects of consuming an 'X'.
Then, you must submit evidence that proves to their satisfaction that your
reference-product for the label 'X' has _all_ of those effects you listed; and
that it has _no other_ side-effects than the ones you listed.

Food manufacturers usually just have to deal with #1. Drug manufacturers have
to deal with #2 and then #1. (Or just #1 if they're making existing drugs.)

The FDA was, for most of its life, just about #1: enforcing product
_integrity_. They also did #2, but #2 wasn't a big deal—getting approval from
the FDA for a new drug wasn't supposed to be hard or even expensive, as long
as your drug really _did_ something. It could even have disastrous side-
effects. If you thought it was still marketable despite those, then you could
just tell the FDA about them and they'll approve it. (See: all chemo drugs.)
Just give the FDA a proven-accurate page for their Big Book, and they're
happy.

But then the pages of the FDA's Big Book began to get taken as truth by
various _other_ standards bodies, that regulate what can or cannot be sold
(sold at all, or sold over-the-counter, etc.)

And, because of that, manufacturers wanted their page in the Big Book to list
great effects and few side-effects. Because then the barriers between them and
their market are lower.

And what this means, is that that manufacturers started _lying_ to the FDA,
submitting a page describing what they _wish_ the product was like, rather
than what it _is_ like. That's the only reason the FDA ever "does not approve"
(note: not "rejects", just "does not approve") of a new label—the manufacturer
can't prove their claims. I.e., the label isn't _true_.

Thus began the adversarial and expensive relationship between modern pharma
companies and the FDA: the pharma companies want to make everything OTC and
want to make a million claims about what each drug does; and the FDA just
stands there, shakes its head, and tells them to come back with numbers
proving their claims. And then the pharma companies burn through
millions/billions of dollars trying to "prove" things that they _know_ aren't
true. Until they either eventually fail and just register a realistic
monograph; or, rarely, they _succeed_ (due to p-hacking) and end up with a
drug that now is being taken by all the wrong people for all the wrong
reasons.

Hate the ADA, or the DEA, or any number of other groups that use the FDA's Big
Book, but don't hate the FDA themselves. All they're doing is taking a set of
words (like "milk" or "ibuprofen"), defining them precisely, and then
requiring companies that _use_ those words in their marketing, stick to the
_definitions_ those words have in their Big Book.

------
Cerium
As someone working in medical devices, the FDA has really stepped up their
game. They have issued a draft guidence on cybersecurity expectations[1] and
are now rejecting submissions that don't adequately address security for
internet connected devices. There is still a long way to go, but I think
change is happening in the field.

[1] -
[https://www.fda.gov/downloads/MedicalDevices/DeviceRegulatio...](https://www.fda.gov/downloads/MedicalDevices/DeviceRegulationandGuidance/GuidanceDocuments/UCM623529.pdf)

------
RanjoUnchained
Unfortunately, many large and traditional medical device companies did not
incorporate security practices in their design and development phases nor did
they stay vigilant in the post market phase with regard to the latest and
greatest security updates. It is only in recent years and due to many
embarrassing news article reporting on vulnerabilities in pacemakers and and
infusion pumps that forced these companies to take more actions. But even then
they are still tailing behind other industries especially in the consumer and
financial sectors.

It's also worth to mention that FDA's focus is different from HHS or other
agencies. While other agencies care about consumer data integrity and patient
health information (PHI) in the case of HHS and HIPAA regulations, FDA is
focused solely on patient safety and clinical efficacy. FDA hold medical
device companies accountable only if vulnerabilities lead to patient safety
issues within the risk management framework. If medical device companies show
in their hazard analysis and risk management file, that it's unlikely for
vulnerability to be exploited where patient safety is compromised, given the
clinical controls and intended use environment, then they don't have to act on
them.

You can see that in the FDA Post market guidance on Cybersecurity where they
show a chart for Controlled vs Uncontrolled vulnerabilities. So its not
uncommon to see scenario where you see a high CVSS score for a vulnerability,
but for a medical device intended use in a hospital the manufacturer claims
that according to their risk management file, the same vulnerability is
controlled and thus its ok not to take any additional measures.

[https://www.google.com/search?biw=1516&bih=947&tbm=isch&sa=1...](https://www.google.com/search?biw=1516&bih=947&tbm=isch&sa=1&ei=ehrrW7HwLMKQ0gKHub-
wDw&q=fda+cybersecurity+post+market+controlled+guidance&oq=fda+cybersecurity+post+market+controlled+guidance&gs_l=img.3...11604.12457..12570...0.0..0.73.585.9......1....1..gws-
wiz-img.dW-OVgKKZM4#imgrc=bUFhztFMhb5ZfM):

~~~
bpp
Your point about FDA's mission is paramount, but in this case it extends to
HHS (its parent) as well. It'd be foolish to expect large (calcified)
government agencies to, of their own accord, take on tasks so far outside of
their core competency. The FDA primarily deals with substances that we put in
our mouthes (although of course they do have responsibility for medical
devices). Security engineering just isn't at the core of their mission; this
is the kind of thing that ideally could be outsourced to a better-equipped
agency.

------
qwerty456127
Whatever device I buy I want it to be hackable, medical devices included.

~~~
rbanffy
I want them hackable by me and hardened to anyone else.

~~~
bluGill
I was nodding in agreement for a few seconds. Then I realized I'm not perfect.
If I hack my own device I'm going to make a mistake and kill myself. Since
that isn't a desired goal I don't want to be tempted.

I want the device to be perfect so I don't have to think about it. Some
devices should just work and not be thought of. (I include the refrigerator in
this group)

~~~
marcosdumay
If it's a concern, just don't hack it. Why would you be tempted?

~~~
bluGill
If I can do it someone else can - potentially without my permission.

~~~
swebs
>I want them hackable by me and hardened to anyone else.

------
sithadmin
Good Defcon talk on this from a few years back:
[https://www.youtube.com/watch?v=ZusL2BY6_XU](https://www.youtube.com/watch?v=ZusL2BY6_XU)

------
apercu
So many years ago I started my career at a biomedical manufacturer that sold
EEG, EMG, polysomnography and transcranial doppler devices. Most of these were
built on some variant of UNIX (SunOS, Unixware, QNX) and were locked down to
be pretty secure once networking within hospitals became more common.

The new CEO listened to what medical departments wanted, and that was a PC
that could perform the clinical functions but also run MS office. So the
entire engineering department spent a couple years porting everything to NT.

Then you had viruses taking out diagnostic devices. So virus scanners were
installed. Now you had latency issues between the amplifier and ADC conversion
and display or other issues (I don't remember all of them to be fair).

Keep in mind that some of these devices were used in the OR. Now, I'm not
saying that Windows was 100% the problem, certainly the idea of multi-use
contributed, but we never had any of these issues when we rolled out operating
systems that locked down what you could do on the device (technicians couldn't
even access the OS unless we told them how) and that we could easily secure.

------
sandworm101
Has there ever been a case of a medical device being hacked to do realworld
physical harm? Considering the billions that will need to be spent to secure
future devices, are there not perhaps other areas of healthcare where the same
money could save more lives?

~~~
bdelay
My guess is that yes, absolutely, but very few people know about it / a Doctor
or nurse was blamed.

Medical system security does not seem very good. When I was operating in the
area a while back, one comment I kept seeing was similar to yours. "Yes, the
security is bad, but the good these devices do outweighs the bad."

I agree with that, but my follow-up has always been, why can't these devices
continue to help patients, but in a secure way? The manufacturers really don't
want to spend the money to try and have some form of a security posture?

Rhetorical question. At the end of the day, my pessimistic view is that
nothing will happen until some firm finally proves that there has been a high
profile attack, there is an ensuing media firestorm, and the regulation
process starts happening.

~~~
Nasrudith
The problem with them is the same as DRM essentially - you have to keep it
accessible to everyone and not accessible at the exact same time. The key
management is a nightmare.

I believe the best compromise would require forward thinking leadership and
design. Make medical devices that must or would be served by communication and
control short range by design. Ideally it could be turned off by the patient
but close range enough that a doctor can access it while the patient is in no
position to assist. The added danger is minimal given that anyone that close
who wanted them dead could just murder them in other ways.

Have a centralized registry of valid public keys - there are debates about who
should have one but that is a whole other topic. The point being that
nonrepudiation - an audit trail will be left which means in cases of
malfeasance the entity corresponding is the one responsible - either directly
or by letting their key get compromised. The practical pain is the logistics
of course.

~~~
sandworm101
But unlike most modern drm, you have to do it without network access. You
cannot even assume the ability to deliver updates.

------
peterwwillis
There are still medical devices found on the internet. I don't think the FDA
can regulate that away, we need active efforts to locate and secure holes in
critical systems.

