Analysis: What's in an FDA recall?
Last week the US Food and Drug Administration (FDA) took the unprecedented step of recalling a biomedical device because of concerns over its lack of cybersecurity. The device in question a St Jude Medical cardiac rhythm management product or pacemaker to the rest of us, was successfully hacked in August 2016 at the behest of a financial trading company, Muddy Waters Capital, in order to short its stock.
While other medical devices have been discovered to have security vulnerabilities in the past as the result of manufacturer-authorized penetration tests, disclosure to the public has in most cases been played down and withheld until the vendor came up with a patch or update to fix the vulnerabilities. Often this has taken multiple months or years to remedy, all the time leaving devices vulnerable in case a malicious actor should also find the vulnerability.
This case was different. Not only was the hack unauthorized, but news of the vulnerability was made public immediately without time for the manufacturer to remedy the vulnerabilities. In fact, the public disclosure of the information appeared to take the vendor by as much surprise as it did the rest of us. No longer was news of a successful hack or security test result going to wait for a vendor to leisurely and quietly fix security vulnerabilities in its products before the public found out.
This marks a major change in direction for both the FDA to get involved in ordering a recall, and for medical device manufacturers who are now on their collective back feet and will need to pivot quickly to respond to future vulnerabilities that catch them by surprise. The onus is now squarely on manufacturers to win the PR war and to quickly fix security gaps in their products.
I would also suggest that most importantly, the onus is now on the FDA and manufacturers to pro-actively get involved in the ongoing testing of all devices, not just those awaiting FDA approvals, in order to avoid the kind of PR disaster that the St Jude device resulted in. This is something that manufacturers have staunchly rejected in the past and regulatory bodies like the FDA and TGA have largely let be.
The public has now been alerted to the risks that some medical devices can pose, and are actively seeking answers.
Not only are recalls very expensive, but they damage the brand, as well as public confidence in medical device products. Who would want to have a pacemaker installed if they had the slightest doubt that the device could be hacked to electrocute them one day? The recall will also likely result in even more expensive class action lawsuits from relatives of those who died while under the support of a similar St Jude device.
The Significance of the recall
The significance of this story is that it marks a major change in the status quo, of the public being reliant upon medical device manufacturers to identify and fix vulnerabilities in the devices they sell and push out of the door. St Jude Medical which was in the process of being purchased by Abbott at the time was shocked that penetration tester MedSec and Muddy Waters Capital, would release the findings of their independent test without first alerting St Jude Medical to the vulnerabilities and allow St Jude time to fix them. As MedSec would later state:
“When MedSec discovered the vulnerabilities, we carefully considered but rejected the traditional approach to disclosure—confronting St. Jude. We believed (and still believe) St. Jude’s track history in responding to reported problems is poor. In fact, St. Jude just recently announced a potentially lethal design defect that may affect up to 350,000 of its users – two years after learning of it, apparently. In my opinion, patients deserve to understand the risks associated with the technologies upon which their health is dependent.”
St Jude sued Muddy Waters and everyone involved in the vulnerability testing, and Muddy Waters and MedSec counter-sued, bringing in independent security consultants Bishop Fox to validate their testing and findings.
Manufacturers have for a long time been accused of hiding behind US legislation including the Digital Millennium Copyright Act (DMCA) or the Computer Fraud and Abuse Act (CFAA) to hush unwelcome security research, and MedSec was quick to point this out in its counter-suit. All this did was to quash ‘white-hat’ testers and security researchers - good hackers looking for vulnerabilities so that they can be fixed, while ‘black-hats’ - malicious hackers who sell their exploits to the highest bidder - usually criminal elements who couldn’t care less about laws, carry on as usual. So, in reality this just hobbled the security research needed to protect the public from insecure medical devices. (The DMCA has since been amended to make it legal for security researchers to conduct their research.)
“When it came to our research, we concluded that a partnership with Muddy Waters was the fastest route to improved product security, improving patient safety and a better understanding of the risks faced by patients.” Claimed MedSec.
The reason FDA finally got involved in this, is because it all went very public, very quickly, and the public started asking questions. The close relationship between FDA and manufacturers has now been called into question publicly, and the FDAs independence in managing the public interest in this space challenged. FDA therefore had to do something.
The role of the FDA in protecting the public from cyberattack by medical device obviously needs to change. Manufacturers claim additional scrutiny for security will add further time and costs to the release of new innovative devices. The fact of the matter is that current FDA guidance is just that, ‘guidance’ and nothing more. Besides, many manufactures simply ignore that guidance in their rush to take a new product to market quickly. What is needed is a set of security design standards, perhaps set by the very capable US National Institute of Standards and Technology (NIST) for medical device security. This should necessitate security as a basic design consideration from the outset of all future designs, and should mandate ongoing security testing and patching of devices in the field for the entire 15 to 20 year lifespan of each device. Having independent security standards to work to would allow manufacturers and FDA to get on the same page, and reduce time-consuming ad-hoc testing by the FDA, thus speeding up approvals.
One of the major complaints by device manufacturers is the time and cost sucked up waiting for FDA testing and approval before a device can be released to the market. Sometimes this can take up to ten years from delivery of a production ready pilot. No wonder that vendors rush to get their new systems into the approval pipeline as fast as possible. The current FDA testing process is long, bureaucratic and arcane. It delays and discourages manufacturers from bringing new devices to market that could save or improve lives, and needs to be drastically improved. Government in any country is not renowned for its speed and dynamism, so perhaps longer term, the role for medical device approval needs to reside elsewhere; especially if the public is to be better served with safe and secure medical devices, that are not massively out of date the day they become available to the medical community and to patients.
Regardless of how we got to the current position and who is to blame, medical device manufacturers have an obligation and duty of care to provide secure medical devices they design, manufacture and profit from. Many have historically failed to design-in even basic security to their devices. My hope is that the FDA recall causes a re-think of that approach across all medical device manufacturers worldwide. If the MedSec Muddy Waters - St Jude Medical pen test is repeated on other insecure medical devices, a lot of manufacturers are going to be dealing with their stock being dumped, as well as an unwanted degree of public scrutiny, and expensive recalls.
Richard Staynings is the principal and cybersecurity evangelist at Cisco.