Last night a long time reader and respected ICS security
professional Dale Peterson took
exception to my
comments about the FDA response to the Hospira Infusion Pump
vulnerabilities. He noted (in part, please read his entire comment) that:
“Yes they were late to the party
and are not perfect, but they have issued guidance and provided rulings that
are quite impressive given the short time they have been working on the issue.”
I will admit that I haven’t paid a great deal of attention
to the FDA’s response to cybersecurity issues. I have only done three blog
posts on the topic (here,
here
and here)
and made some unfavorable comments in one other post about medical control
system advisories from ICS-CERT (here).
And I have not looked at the FDA regulations to see what authority the FDA does
actually have in this respect. So, I’ll bow to Dale’s (and Billy Rios’) larger
experience set with the agency and accept that the FDA may be making an honest
effort to get their control system security program up and running.
Having said that, I am still very concerned that the FDA has
not been more forthcoming in sharing information with the medical community
about the control system security issues with this infusion pump. I understand
that a full recall of these devices may put many hospitals, clinics, and
doctors in a position of not being able to provide critical medical services,
but at the very least there should have been some sort of notice to the medical
community published yesterday in conjunction with the ICS-CERT advisory. It’s
not like the average hospital IT department routinely monitors the ICS-CERT web
site (Hell, I don’t expect that most ICS owners do that; that is the whole
point of my blog posts on each advisory).
Now I understand that the federal government has the same
problem that most large organizations have (scaled-up due to size of course)
that there are too many silos and not enough communication between them. Cybersecurity
is just one area where that lack of communication is readily apparent.
ICS-CERT does not have the authority (and certainly not the
manpower) to regulate control system security in any sector. The one thing that
they are supposed to be doing (by convention anyway, certainly not by law or
regulation) is to be coordinating vulnerability disclosure. Most of us have
assumed that coordination was between the researcher who discovered the vulnerability
and the vendor who needed to resolve the issue. It seems like, in this instance
in any case, that that coordination also included some conversations with the
FDA since ICS-CERT reported that the FDA was reviewing the new software
version. If that coordination with FDA did take place ICS-CERT is to be
commended.
The FDA on the other hand, seems to have limited their
response to that review process (a valuable and necessary thing in its own
right). It seems to me, however, that they have at the very least a moral
responsibility and probably a legal responsibility to communicate to the
medical community (at least) the medial device vulnerability that potentially
puts patients at risk. If there is not a legal responsibility to do so, the
Congress needs to act immediately to rectify that situation (won’t happen, I
know).
To be fair to the FDA, they are not the only organization
that has this problem. You can pick just about any major agency in the federal
government that has some dealing with control systems and you will see similar
problems. This is the real information sharing conundrum that plagues
cybersecurity issues; even when the federal government has information about
vulnerabilities and mitigation measures, they don’t do an effective job of
sharing that information with people who actually own the systems involved.
Okay, enough for today’s rant. Again, the FDA is apparently
attempting to get its act together about medical device control system
security; kudos for that. But I remain disappointed in their lack of effort to
share what information they do have with the medical community.
Posts
No comments:
Post a Comment