This government institution is opting to work with ethical hackers and their researches to protect vulnerable medical devices
The work of malicious hackers has become a latent concern in today’s society, largely dependent on network connections, considered experts in digital forensics. People worry about thinking that their smart speakers or security systems in their homes are compromised, because compromising any of these services could cause serious consequences for anyone.
However, the consequences could be much worse if hackers focus their efforts on attacking medical infrastructure. Medical devices are widely used; in addition, this market shows expected growth of 3% annual, at least until 2022.
Specialists in ethical hacking and digital forensics have contacted the manufacturers of these devices after exposing the vulnerabilities in their products. Historically, the US Food and Drug Administration (FDA) have remained neutral about the role these professionals should play in exposing the weak points of technology in the health sector.
But this is changing as the agency reports that it is collaborating with ethical hackers and using the research that professionals develop to design their policies.
A recent example is a pacemaker manufactured by Medtronic. Billy Rios and Jonathan Butts, two cybersecurity and digital forensics investigators, found a vulnerability that would allow a hacker to change the device settings remotely, potentially causing serious consequences. The FDA and Medtronic issued safety alerts on pacemakers. In addition, Medtronic stopped issuing updates for these devices until an effective way to fix the problem was found.
However, the company stated that it was not possible to manipulate the devices remotely. It also said that the vulnerability was under control and that it was not a threat to the patient. The two ethical hackers continued to work with Medtronic for months, and then presented their research to the FDA, which continued with their own analysis.
The FDA said its research coincided with that of cybersecurity experts, forcing Medtronic to admit that vulnerability could affect patients if it was not resolved. Such progress emphasizes why the FDA’s collaboration with ethical hackers could be as beneficial to both the technological community and consumers.
In short, the researchers tried for months to get the manufacturer to take their research seriously, without success. It was the FDA’s intervention which helped the company recognizes the severity of the incident. If such partnerships continue to occur, patients could access safer products, as ethical hackers gain greater recognition for their research.
Apparently this will not be the only case of collaboration between the FDA and ethical hackers. According to Jeff Shuren, an FDA official, there is awareness of the crucial role that cybersecurity researchers play in monitoring medical devices security.
Shuren also noted that the FDA encourages manufacturers to rely on ethical hackers, especially if companies do not have an area of specialists in the field to correct possible failures in their products before they are released to market.
According to reports from the International Institute of Cyber Security, some other ways to manipulate medical devices include altering their functioning or reporting incorrect readings that could influence a patient’s treatment or diagnosis. Hackers could also make diagnostic equipment, like magnetic resonance machines, collapse.
Working as a cyber security solutions architect, Alisa focuses on bug bounty and network security. Before joining us she held a cyber security researcher positions within a variety of cyber security start-ups. She also experience in different industry domains like finance, healthcare and consumer products.