Board urges evaluation of device hacking risks

The FDA already assesses medical devices for safety and effectiveness before allowing them on the market. But now a board that advises the U.S. government on security issues wants that process expanded and is recommending that regulators evaluate how secure wireless devices such as insulin pumps and defibrillators are against hacking.

Yes, hacking. There is growing concern about how protected wireless medical devices are against hacking, Wired reports. With this in mind, the Information Security and Privacy Advisory Board wants the U.S. government to allow the FDA or some other agency to assess how secure devices that rely on software are against hacking. And for even better protection, the board wants some kind of system that would also rope in the United States Computer Emergency Readiness Team, through which medical device security problems could be reported, tracked and fixed.

Wired got the scoop through a March 30 letter Advisory Board Chairman Daniel Chenok sent to the Office of Management and Budget, which his group advises. The letter came after an early February meeting of the Information Security and Privacy Advisory Board.

"The Board heard experts discuss how lack of cybersecurity preparedness for millions of software-controlled medical devices puts patients at significant risk of harm," Chenok wrote. "A single Federal entity (such as FDA) should be assigned responsibility for taking medical device cybersecurity into account during pre-market clearance and approval of devices, and during post-market surveillance of cybersecurity threat indicators at time of use," he added as a recommendation.

It will be interesting to see how the device industry responds to calls for another layer of regulatory approval, even as it seeks to streamline the process. But the issue isn't going way. Just this week, the BBC reported on research from the University of Massachusetts-Amherst and the software security company McAfee that have revealed hacker vulnerabilities with medical device software. A McAfee researcher was able to pinpoint a radio signal "used by a well-known insulin pump" and then figured out how to hijack it. Medtronic ($MDT) has also had to refute reports in recent months that some of its devices may be vulnerable to hacking.

Of course, why would anyone want to hijack a medical device? In a post-911 world, that question apparently has a simple answer: Because they can.

- here's the Wired story
- read the BBC hacking piece