Med Device Security: Researchers Accuse US FDA of being a Toothless Dragon


Published Date : Nov 13, 2015

Security researchers have accused the US Food and Drug Administration of acting like a ‘toothless dragon’ when it comes to addressing vulnerabilities of medical devices, according to an article published by Bloomberg Business.

In the report, Billy Rios – a hacker – talks about a time in 2013 when the Mayo Clinic involved him a many other ‘white hat’ hackers, divided them into groups, and engaged them to hack into an estimated 40 different medical devices.

Rios tells Bloomberg Business that each day every medical device on the list was crushed and exploited and the whole thing was extremely bad. 

It was later that Mayo Clinic started exercising “the power of the purse”, as termed by Kevin Fu, a security expert. This required vendors to strictly follow security testing standards. Kevin Fu predicts that there will be many more warnings from the FDA, just like those that were issued over Hospira infusion pumps in July. The US FDA said that the pumps could give unauthorized users access to control the infusion devices and even alter the dosage delivered by the pumps. 

Providing details regarding the vulnerabilities of the Hospira Symbiq line of infusion pumps, Rios reported the data back to the US FDA. According to Bloomberg, over a year passed before the agency took any action in this regard. 

He said that one would only be taken seriously if people created videos and wrote real exploit codes that could result in the death of someone. This, Rios added, was not the correct way. 

However, the findings made by Rios did not force the company to make any changes towards fixing the current machines that were being used in clinics and hospitals. The company was not even forced to prove that similar flaws did not exist in other models of the machines. According to a Wired story, the other models by Hospira were just as vulnerable as the infusion pumps.