Yesterday the DHS ICS-CERT published an
alert for a hard-coded password vulnerability affecting roughly 300 medical
devices across approximately 40 vendors reported by Billy Rios and Terry
McCorkle of Cylance. No link is provided for the specific report that
instigated this alert. This vulnerability is hardly news since there have been news
reports about the Rios and McCorkle work in this area since at least
January.
This may have more to do with today’s publication in the
Federal Register (78 FR
35940) of a notice of availability of FDA draft guidance on “recommendations
to consider and document in FDA medical device premarket submissions to provide
effective cybersecurity management and to reduce the risk that device
functionality is intentionally or unintentionally compromised”.
According to this FDA notice: “The
draft guidance, when finalized, will represent the Agency's current thinking on
management of cybersecurity in medical devices.”
A copy
of the draft guidance is available from the FDA web site. After a quick
scan of the document I find it disturbing that it concentrates on the
information security aspects of the problem rather than on the control system
issues. While I certainly wouldn’t want anyone to have access to medical
information about or from a device implanted in my body, I would be much more
concerned about the ability of some unauthorized person (or even an authorized
person in some cases) to change device settings without my consent or informed
approval.
The FDA is soliciting public comment on this draft-guidance.
Comments may be submitted via the Federal eRulemaking Portal (www.Regulations.gov; Docket # FDA-2013-D-0616).
It appears that the FDA will be working expeditiously (SARCASM Alert) on this
issue; they are requesting comments be filed by September 12, 2013.
Posts
No comments:
Post a Comment