BreachExchange mailing list archives
FDA issues encryption, authentication rules for medical devices
From: Audrey McNeil <audrey () riskbasedsecurity com>
Date: Sun, 18 Aug 2013 22:42:17 -0600
http://healthitsecurity.com/2013/08/16/fda-issues-encryption-authentication-rules-for-medical-devices The Food and Drug Administration (FDA) has issued new guidance on the radio frequencies of wireless medical devices, including recommendations for authentication and encryption measures to ensure the security of the device and the safety of the patient. Properly encrypted wireless devices will not only prevent hacking and misuse of the device itself, but also reduce the likelihood of unauthorized access to the wireless network itself. While the recommendations are mostly directed at device manufacturers, the rules have significant implications for security professionals as well. “Increasingly, the healthcare enterprise and associated devices are becoming wireless enabled and integrated. So, this type of guidance is very important,” says Dale Nordenberg, MD, executive director of the Medical Device Innovation, Safety and Security Consortium. “Authentication and encryption will help protect against hacking to prevent the possibility of access to the device and associated networks by unauthorized personnel to protect both patient safety and patient privacy. In certain cases, taking control of a device could result in broader access to the enterprise’s IT devices and assets.” Specific areas of concern for security managers includes the capability of technologies to automatically sense and connect to an unsecured wireless network, and the transmission of sensitive patient health data over such a network. Potential risks also include a malicious attack on the patient himself, with an unauthorized hacker delivering a fatal overdose of medication or device malfunction through the network, the possibility of which was recently illustrated by ethical hacker Barnaby Jack. The FDA encourages the use of state-of-the-art encryption and authentication methods, although the Agency did not recommend specific protocols, since security technology is changing at a rapid pace. The guidance follows an additional FDA report on the need for interoperability standards for medical devices to enhance the “plug-and-play” capabilities of products. _______________________________________________ Dataloss Mailing List (dataloss () datalossdb org) Archived at http://seclists.org/dataloss/ Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss For inquiries regarding use or licensing of data, e-mail sales () riskbasedsecurity com Supporters: Risk Based Security (http://www.riskbasedsecurity.com/) Risk Based Security offers security intelligence, risk management services and customized security solutions. The YourCISO portal gives decision makers access to tools for evaluating their security posture and prioritizing risk mitigation strategies. Cyber Risk Analytics offers actionable threat information and breach analysis.
Current thread:
- FDA issues encryption, authentication rules for medical devices Audrey McNeil (Aug 20)