The non-profit Center for Internet Security has announced that it is developing guidelines on securing Internet-enabled medical devices, beginning with insulin pumps, and plans to release them by the end of the year. It's seeking input from hospitals, device manufacturers and cyber security experts through the end of August and plans to focus on other devices later.
Healthcare professionals are starting to remotely access implanted medical devices over the Internet, such as insulin pumps, pacemakers and defibrillators--but those devices can be hacked, the announcement points out.
In June, the Department of Homeland security warned that it found password vulnerability problems in in 300 medical devices being made by 40 companies. And the U.S. Food and Drug Administration published new guidance calling for developers and healthcare facilities to beef up security efforts while creating and using those devices.
Security pros have long warned of security holes and malware on medical devices. In a recent Wall Street Journal post, two hospital CIOs expressed their frustration that device makers react too slowly to security risks.
Jay Radcliffe, a computer security expert working for IBM, in 2011 demonstrated at the Black Hat security conference that he could take control of an insulin pump. Another security researcher, Barnaby Jack, was scheduled to demonstrate this summer how he could hack a pacemaker, but died before the Black Hat conference took place, SFGgate.com reports.
The Center for Internet Security said it will bring to the effort its 13 years of experience in building consensus on secure configuration settings across a range of information technologies.
The benchmarks are intended to build upon the FDA's draft "Content of Premarket Submissions for Management of Cybersecurity in Medical Devices."