Medical device security research on the upswing

Healthcare professionals should look for an uptick in cybersecurity research for medical devices during 2016, security researcher Billy Rios says in an interview with HealthcareInfoSecurity.

Rios, founder of the independent security research and services firm Whitescope, says he's been contacted by an array of people wanting to get involved--people who in the past have not been focused on healthcare security research.

He expects the result to be more advisories from the U.S. Food and Drug Administration, especially along the lines of its warnings about infusion pumps, but also advisories from the Department of Homeland Security.

Rios says he is working with several organizations to develop a formal methodology for determining whether a given vulnerability poses a risk to patient safety.

"We have to systematically and objectively determine which security vulnerabilities present risks to patient harm and which present harm only to the IT infrastructure. Both are very important, but as a patient safety issue, we certainly have to treat them differently," he says.

Some medical devices he's looked into have thousands of known vulnerabilities. Many of them are potential problems already there when a hospital buys the equipment, he adds. "Once a hospital buys a device, the work's not done," he says. In some cases, the problem could be remediated merely downloading a patch, but this often isn't done.

The FDA's recent guidance on postmarket surveillance is an attempt to address those issues.

Rios gained attention by pointing out the infusion pump vulnerabilities to the FDA. He's been among the agency's critics who have termed it a "toothless dragon" in its lax oversight of medical device issues.

To learn more:
- read the article