FDA a 'toothless dragon' on med device security, researchers say

Security researchers accuse the U.S. Food and Drug Administration of being "a toothless dragon" in dealing with medical device vulnerabilities, according to a Bloomberg Business article.

In the report, hacker Billy Rios recounts how the Mayo Clinic, in 2013, engaged him and other "white hat" hackers and set them off in teams in an effort to exploit about 40 different medical devices.

"Every day, it was like every device on the menu got crushed," Rios tells Bloomberg. "It was all bad. Really, really bad."

Mayo later began exercising what security expert Kevin Fu calls "the power of the purse"--requiring vendors to meet strict security testing standards. Fu predicts we will see more warnings from the FDA, similar to those it issued in July over Hospira infusion pumps. The agency said the pumps "could allow an unauthorized user to control the device and change the dosage the pump delivers."

Rios detailed vulnerabilities in the Hospira Symbiq line of pumps and reported that information to the FDA. It took more than a year for the agency to take action, according to Bloomberg.

"We have to create videos and write real exploit code that could really kill somebody in order for anything to be taken seriously," he said. "It's not the right way."

However, Rios's findings didn't force the company to fix existing machines used in hospitals and clinics or to prove that the flaws did not exist in its other models. And Hospira's other models were vulnerable as well, according to a Wired story.

In an FDA Voice blog post, members of the agency double down on the FDA's efforts to improve safety of medical devices. They mention the Case for Quality initiative, which was started in 2011 to help nudge device manufacturers beyond doing the bare minimum to meet FDA requirements and "instead focus on predictive and proactive measures they can take independently to improve quality."

The authors say that in addition to inspecting device firms, "we are thinking about other ways to support quality beyond inspections and traditional regulatory approaches."

To learn more:
- check out the Bloomberg article
- here's the Wired story
- read the FDA Voice post