FDA issues encryption, authentication rules for medical devices

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://healthitsecurity.com/2013/08/16/fda-issues-encryption-authentication-rules-for-medical-devices

The Food and Drug Administration (FDA) has issued new guidance on the
radio frequencies of wireless medical devices, including
recommendations for authentication and encryption measures to ensure
the security of the device and the safety of the patient.  Properly
encrypted wireless devices will not only prevent hacking and misuse of
the device itself, but also reduce the likelihood of unauthorized
access to the wireless network itself.

While the recommendations are mostly directed at device manufacturers,
the rules have significant implications for security professionals as
well.  “Increasingly, the healthcare enterprise and associated devices
are becoming wireless enabled and integrated. So, this type of
guidance is very important,” says Dale Nordenberg, MD, executive
director of the Medical Device Innovation, Safety and Security
Consortium.  “Authentication and encryption will help protect against
hacking to prevent the possibility of access to the device and
associated networks by unauthorized personnel to protect both patient
safety and patient privacy.  In certain cases, taking control of a
device could result in broader access to the enterprise’s IT devices
and assets.”

Specific areas of concern for security managers includes the
capability of technologies to automatically sense and connect to an
unsecured wireless network, and the transmission of sensitive patient
health data over such a network.  Potential risks also include a
malicious attack on the patient himself, with an unauthorized hacker
delivering a fatal overdose of medication or device malfunction
through the network, the possibility of which was recently illustrated
by ethical hacker Barnaby Jack.

The FDA encourages the use of state-of-the-art encryption and
authentication methods, although the Agency did not recommend specific
protocols, since security technology is changing at a rapid pace.  The
guidance follows an additional FDA report on the need for
interoperability standards for medical devices to enhance the
“plug-and-play” capabilities of products.
_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
Risk Based Security offers security intelligence, risk management services and customized security solutions. The 
YourCISO portal gives decision makers access to tools for evaluating their security posture and prioritizing risk 
mitigation strategies. Cyber Risk Analytics offers actionable threat information and breach analysis.