A few months ago, I was at a birthday party with one of my sons when another young man took out a medical device that had a long, thin tube leading back into his pocket. When asked, he identified it as his insulin pump, which he needed to check and set appropriately before having a piece of cake. “It’s capable of connecting to my phone via Bluetooth, but I’ve never set it up and wouldn’t know what to do with it anyway,” he said.

Our short conversation highlighted many of the issues we should be concerned with when the world of medical devices meets the Internet of Things (IoT). This young man was carrying a device that his life literally depends upon, and while he knows the basics of the device, he doesn’t understand the full extent of its capabilities or vulnerabilities. Unluckily, the same can probably be said of the device’s manufacturers.

Securing the Medical Device

Honestly, security has been low on the priority list for most medical device manufacturers. Reliability is a much bigger concern, as it should be. But cybercriminals have been picking away at them since at least 2008, when researchers explained how a pacemaker could be subverted to give life-threatening shocks to its owner. While companies have taken threats like this seriously and in general fixed the problems quickly, preventing this type of vulnerability through increased focus in the software development and testing areas has not become a priority for most organizations.

But this will likely be changing in the near future: The U.S. Food and Drug Administration (FDA) has released a draft of proposed guidelines for medical device manufacturers, the succinctly named “Postmarket Management of Cybersecurity Medical Devices.” This paper laid out basic guidelines for understanding and compensating for the risks that medical IoT devices will likely face, patching and how such vulnerabilities will be reported to the FDA and the device users.

Perhaps the most important part of the paper is that it described potential suggestions for dealing with the people researching medical IoT devices. In other words, it recommended what to do when a white-hat hacker finds a vulnerability in a device and reports it.

I found this paper from the FDA to be filled with good advice — not just for medical IoT manufacturers, but for anyone who’s developing a program for external researchers to report issues. In other words, a bug bounty program.

While the FDA paper doesn’t explicitly talk about paying for vulnerability research, it does discuss about many of the considerations that go into making such a program. There’s significantly more to the paper, most of it fundamental to any good security program, but this is what stood out the most to me.

Additional Guidelines

External to the FDA, but also pushing in the right direction for the security of medical IoT devices, a group of security professionals called I Am The Cavalry published a Hippocratic Oath for Connected Devices. While the oath calls for some of the same controls the FDA’s guidance pointed toward, it goes far beyond, listing five core cybersecurity capabilities, including security by design and resilience. Perhaps we’ll see the FDA adopt several of the points from this Hippocratic Oath to encourage manufacturers to take further steps to secure their devices development through to deployment and beyond.

My one criticism of the FDA’s guidelines is that they leave too much of the decision of what should be reported and how specific risks and vulnerabilities should be graded to manufacturers. The outline does include a few good examples of what controlled and uncontrolled risks are, but leaves it up to the manufacturer to judge where the line is.

We’ve seen multiple examples of manufacturers who refuse to acknowledge reported vulnerabilities in all industries, not just medical devices, which points to the need for concrete, defined reporting regulations rather than general ones. The guidelines are in comment phase, so there’s hope this will change as they approach finalization.

Medical devices with Bluetooth and other wireless technologies are here and constantly evolving. The convenience of being able to control a device from your phone or a website is too alluring for it to do anything but become the standard rule for such devices. Given that people’s lives will quite literally rely on the security of medical IoT devices, manufacturers simply have to secure them.

If Dick Cheney sees enough threat in medical IoT to have the wireless on his pacemaker disabled, perhaps the rest of us should take it seriously, as well. Or at least the FDA and medical device manufacturers need to.

Watch the on-demand webinar with Arxan and Forrester to learn more about securing the IoT

More from Application Security

Kronos Malware Reemerges with Increased Functionality

The Evolution of Kronos Malware The Kronos malware is believed to have originated from the leaked source code of the Zeus malware, which was sold on the Russian underground in 2011. Kronos continued to evolve and a new variant of Kronos emerged in 2014 and was reportedly sold on the darknet for approximately $7,000. Kronos is typically used to download other malware and has historically been used by threat actors to deliver different types of malware to victims. After remaining…

Self-Checkout This Discord C2

This post was made possible through the contributions of James Kainth, Joseph Lozowski, and Philip Pedersen. In November 2022, during an incident investigation involving a self-checkout point-of-sale (POS) system in Europe, IBM Security X-Force identified a novel technique employed by an attacker to introduce a command and control (C2) channel built upon Discord channel messages. Discord is a chat, voice, and video service enabling users to join and create communities associated with their interests. While Discord and its related software…

A View Into Web(View) Attacks in Android

James Kilner contributed to the technical editing of this blog. Nethanella Messer, Segev Fogel, Or Ben Nun and Liran Tiebloom contributed to the blog. Although in the PC realm it is common to see financial malware used in web attacks to commit fraud, in Android-based financial malware this is a new trend. Traditionally, financial malware in Android uses overlay techniques to steal victims’ credentials. In 2022, IBM Security Trusteer researchers discovered a new trend in financial mobile malware that targets…

Twitter is the New Poster Child for Failing at Compliance

All companies have to comply with privacy and security laws. They must also comply with any settlements or edicts imposed by regulatory agencies of the U.S. government. But Twitter now finds itself in a precarious position and appears to be failing to take its compliance obligations seriously. The case is a “teachable moment” for all organizations, public and private. The Musk Factor Technology visionary and Silicon Valley founder and CEO, Elon Musk, bought social network Twitter in October for $44…