Last night a long time reader and respected ICS security professional Dale Peterson took exception to my comments about the FDA response to the Hospira Infusion Pump vulnerabilities. He noted (in part, please read his entire comment) that:
“Yes they were late to the party and are not perfect, but they have issued guidance and provided rulings that are quite impressive given the short time they have been working on the issue.”
I will admit that I haven’t paid a great deal of attention to the FDA’s response to cybersecurity issues. I have only done three blog posts on the topic (here, here and here) and made some unfavorable comments in one other post about medical control system advisories from ICS-CERT (here). And I have not looked at the FDA regulations to see what authority the FDA does actually have in this respect. So, I’ll bow to Dale’s (and Billy Rios’) larger experience set with the agency and accept that the FDA may be making an honest effort to get their control system security program up and running.
Having said that, I am still very concerned that the FDA has not been more forthcoming in sharing information with the medical community about the control system security issues with this infusion pump. I understand that a full recall of these devices may put many hospitals, clinics, and doctors in a position of not being able to provide critical medical services, but at the very least there should have been some sort of notice to the medical community published yesterday in conjunction with the ICS-CERT advisory. It’s not like the average hospital IT department routinely monitors the ICS-CERT web site (Hell, I don’t expect that most ICS owners do that; that is the whole point of my blog posts on each advisory).
Now I understand that the federal government has the same problem that most large organizations have (scaled-up due to size of course) that there are too many silos and not enough communication between them. Cybersecurity is just one area where that lack of communication is readily apparent.
ICS-CERT does not have the authority (and certainly not the manpower) to regulate control system security in any sector. The one thing that they are supposed to be doing (by convention anyway, certainly not by law or regulation) is to be coordinating vulnerability disclosure. Most of us have assumed that coordination was between the researcher who discovered the vulnerability and the vendor who needed to resolve the issue. It seems like, in this instance in any case, that that coordination also included some conversations with the FDA since ICS-CERT reported that the FDA was reviewing the new software version. If that coordination with FDA did take place ICS-CERT is to be commended.
The FDA on the other hand, seems to have limited their response to that review process (a valuable and necessary thing in its own right). It seems to me, however, that they have at the very least a moral responsibility and probably a legal responsibility to communicate to the medical community (at least) the medial device vulnerability that potentially puts patients at risk. If there is not a legal responsibility to do so, the Congress needs to act immediately to rectify that situation (won’t happen, I know).
To be fair to the FDA, they are not the only organization that has this problem. You can pick just about any major agency in the federal government that has some dealing with control systems and you will see similar problems. This is the real information sharing conundrum that plagues cybersecurity issues; even when the federal government has information about vulnerabilities and mitigation measures, they don’t do an effective job of sharing that information with people who actually own the systems involved.
Okay, enough for today’s rant. Again, the FDA is apparently attempting to get its act together about medical device control system security; kudos for that. But I remain disappointed in their lack of effort to share what information they do have with the medical community.