FDA Fails to Properly Evaluate Medical Device Security per U.S. GAO Report

Warning: The contents of this blog post could (literally) give you a heart attack.

The U.S. Government Accountability Office website has published an interesting report on Information Security and Medical Devices.  Unfortunately this report has probably been missed amid all the U.S. elections news.

The 62 page report calls out the FDA on their 2001 and 2006 premarket review of two medical devices with known vulnerabilities and states that "FDA considered information security risks from unintentional threats, but not risks from intentional threats".  While it is comforting to know that the FDA is looking at issues such as accidental electromagnetic interference, it worries me that the FDA is not considering more serious threats, such as intentional malicious interference with a device.

Specifically, FDA considered risks from unintentional threats for four of the eight information  security control areas GAO selected for its evaluation —software testing, verification, and validation; risk assessments; access control; and contingency planning. However, the agency did not consider risks from intentional threats for these areas, nor did the agency provide evidence of its review for risks from either unintentional or intentional threats for the remaining four information  security control areas —risk management, patch and vulnerability management, technical audit and accountability, and security- incident - response activities. According to FDA, it did not consider information security risks from intentional threats as a realistic possibility until recently. In commenting on  a draft  of this  report, FDA said it intends to reassess its approach  for evaluating software used in medical devices, including an assessment of information  security risks.
This report is definitely an eye opening read, and also shows that the Federal Government is starting to think outside the box when it comes to Information Security.

Report:
Highlights - FDA Should Expand Its Consideration of Information Security for Certain Types of Devices


Download Full Report (PDF)