A few months ago, I was at a birthday party with one of my sons when another young man took out a medical device that had a long, thin tube leading back into his pocket. When asked, he identified it as his insulin pump, which he needed to check and set appropriately before having a piece of cake. “It’s capable of connecting to my phone via Bluetooth, but I’ve never set it up and wouldn’t know what to do with it anyway,” he said.

Our short conversation highlighted many of the issues we should be concerned with when the world of medical devices meets the Internet of Things (IoT). This young man was carrying a device that his life literally depends upon, and while he knows the basics of the device, he doesn’t understand the full extent of its capabilities or vulnerabilities. Unluckily, the same can probably be said of the device’s manufacturers.

Securing the Medical Device

Honestly, security has been low on the priority list for most medical device manufacturers. Reliability is a much bigger concern, as it should be. But cybercriminals have been picking away at them since at least 2008, when researchers explained how a pacemaker could be subverted to give life-threatening shocks to its owner. While companies have taken threats like this seriously and in general fixed the problems quickly, preventing this type of vulnerability through increased focus in the software development and testing areas has not become a priority for most organizations.

But this will likely be changing in the near future: The U.S. Food and Drug Administration (FDA) has released a draft of proposed guidelines for medical device manufacturers, the succinctly named “Postmarket Management of Cybersecurity Medical Devices.” This paper laid out basic guidelines for understanding and compensating for the risks that medical IoT devices will likely face, patching and how such vulnerabilities will be reported to the FDA and the device users.

Perhaps the most important part of the paper is that it described potential suggestions for dealing with the people researching medical IoT devices. In other words, it recommended what to do when a white-hat hacker finds a vulnerability in a device and reports it.

I found this paper from the FDA to be filled with good advice — not just for medical IoT manufacturers, but for anyone who’s developing a program for external researchers to report issues. In other words, a bug bounty program.

While the FDA paper doesn’t explicitly talk about paying for vulnerability research, it does discuss about many of the considerations that go into making such a program. There’s significantly more to the paper, most of it fundamental to any good security program, but this is what stood out the most to me.

Additional Guidelines

External to the FDA, but also pushing in the right direction for the security of medical IoT devices, a group of security professionals called I Am The Cavalry published a Hippocratic Oath for Connected Devices. While the oath calls for some of the same controls the FDA’s guidance pointed toward, it goes far beyond, listing five core cybersecurity capabilities, including security by design and resilience. Perhaps we’ll see the FDA adopt several of the points from this Hippocratic Oath to encourage manufacturers to take further steps to secure their devices development through to deployment and beyond.

My one criticism of the FDA’s guidelines is that they leave too much of the decision of what should be reported and how specific risks and vulnerabilities should be graded to manufacturers. The outline does include a few good examples of what controlled and uncontrolled risks are, but leaves it up to the manufacturer to judge where the line is.

We’ve seen multiple examples of manufacturers who refuse to acknowledge reported vulnerabilities in all industries, not just medical devices, which points to the need for concrete, defined reporting regulations rather than general ones. The guidelines are in comment phase, so there’s hope this will change as they approach finalization.

Medical devices with Bluetooth and other wireless technologies are here and constantly evolving. The convenience of being able to control a device from your phone or a website is too alluring for it to do anything but become the standard rule for such devices. Given that people’s lives will quite literally rely on the security of medical IoT devices, manufacturers simply have to secure them.

If Dick Cheney sees enough threat in medical IoT to have the wireless on his pacemaker disabled, perhaps the rest of us should take it seriously, as well. Or at least the FDA and medical device manufacturers need to.

Watch the on-demand webinar with Arxan and Forrester to learn more about securing the IoT

More from Application Security

X-Force Identifies Vulnerability in IoT Platform

4 min read - The last decade has seen an explosion of IoT devices across a multitude of industries. With that rise has come the need for centralized systems to perform data collection and device management, commonly called IoT Platforms. One such platform, ThingsBoard, was the recent subject of research by IBM Security X-Force. While there has been a lot of discussion around the security of IoT devices themselves, there is far less conversation around the security of the platforms these devices connect with.…

4 min read

Patch Tuesday -> Exploit Wednesday: Pwning Windows Ancillary Function Driver for WinSock (afd.sys) in 24 Hours

12 min read - ‘Patch Tuesday, Exploit Wednesday’ is an old hacker adage that refers to the weaponization of vulnerabilities the day after monthly security patches become publicly available. As security improves and exploit mitigations become more sophisticated, the amount of research and development required to craft a weaponized exploit has increased. This is especially relevant for memory corruption vulnerabilities.Figure 1 — Exploitation timelineHowever, with the addition of new features (and memory-unsafe C code) in the Windows 11 kernel, ripe new attack surfaces can…

12 min read

Backdoor Deployment and Ransomware: Top Threats Identified in X-Force Threat Intelligence Index 2023

4 min read - Deployment of backdoors was the number one action on objective taken by threat actors last year, according to the 2023 IBM Security X-Force Threat Intelligence Index — a comprehensive analysis of our research data collected throughout the year. Backdoor access is now among the hottest commodities on the dark web and can sell for thousands of dollars, compared to credit card data — which can go for as low as $10. On the dark web — a veritable eBay for…

4 min read

Direct Kernel Object Manipulation (DKOM) Attacks on ETW Providers

17 min read - Overview In this post, IBM Security X-Force Red offensive hackers analyze how attackers, with elevated privileges, can use their access to stage Windows Kernel post-exploitation capabilities. Over the last few years, public accounts have increasingly shown that less sophisticated attackers are using this technique to achieve their objectives. It is therefore important that we put a spotlight on this capability and learn more about its potential impact. Specifically, in this post, we will evaluate how Kernel post-exploitation can be used…

17 min read