It’s irritating when you try out a smartphone app that promises something great, yet falls short in delivering it. Imagine how important it is for an app to work properly if it could literally mean the difference between life and death. The U.S. Federal Drug Administration has finally issued “final guidance” on medical mobile apps. The agency announced that it will use its regulatory oversight power to focus on “mobile medical apps that present a greater risk to patients if they do not work as intended.”
Most of us probably do not use apps that can “diagnose abnormal heart rhythms, transform smartphones into a mobile ultrasound device, or function as the 'central command' for a glucose meter used by a person with insulin-dependent diabetes.” But for people who do use such medical mobile apps, it can help them “manage their own health and wellness” as well as save them a trip to the doctor by “allowing doctors to diagnose patients with potentially life-threatening conditions outside of traditional health care settings.”
There are hundreds of medical apps listed in the iTunes App Store and on Google Play, but the FDA “does not regulate the sale or general consumer use of smartphones or tablets nor does it regulate mobile app distributors.” Instead, the agency is focusing its oversight on mobile medical apps that:
are intended to be used as an accessory to a regulated medical device – for example, an application that allows a health care professional to make a specific diagnosis by viewing a medical image from a picture archiving and communication system (PACS) on a smartphone or a mobile tablet; or
transform a mobile platform into a regulated medical device – for example, an application that turns a smartphone into an electrocardiography (ECG) machine to detect abnormal heart rhythms or determine if a patient is experiencing a heart attack.
The FDA said it “has cleared about 100 mobile medical applications over the past decade; about 40 of those were cleared in the past two years.” In fact, the FDA is increasingly be called upon for ensure medical cybersecurity.
After several years of security experts like Barnaby Jack (RIP) and diabetic Jay Radcliffe demonstrating how easily embedded medical devices could hacked wirelessly, the feds were pressed to protect wireless medical devices from hackers. The Information Security and Privacy Advisory Board suggested the FDA should be responsible for educating manufacturers, health care and users "about the risks associated with networked and wireless medical devices."
Education is most assuredly needed as was recently pointed out by John Pescatore, the Director of the SANS Institute, after he attended a HealthCare security breakfast during the SANS NetSec conference. He is clearly fed up with how often medical machinery and servers are left vulnerable because “vendors don't issues updates incorporating patches to Windows or other commercial software running underneath the application. The system vendors often claim ‘We can't patch, because then we would have to go through FDA certification all over again’.” Pescatore said, “This is, to put it politely, a lie.”
If you ever hear that excuse, be sure to point the vendors toward the truth of the FDA allowing patching without requiring re-certification since 2005. As Pescatore stated, the FDA reiterated the need for patching without needing re-certification in 2009 after Conficker and again in 2013. As a matter of fact, this summer, ICS-CERT and the FDA warned that medical devices with hard-coded passwords can be remotely “exploited to potentially change critical settings and/or modify device firmware.” The FDA proposed rules that recommended for device makers to provide the agency with their plans for providing patches and updates.
Combining heartbeat passwords with touch-to-access security
While we are on the topic of medical security, it seems a fine time to talk about a new system to secure wireless implantable medical devices. We know insulin pumps and pacemakers can be hacked wirelessly, and vulnerable pumps can be scanned in a public space from up to 300 feet away. Researchers at Rice University are working on Heart-to-Heart (H2H) [pdf], a system to authenticate external medical device controllers and programmers to Implantable Medical Devices (IMDs).
Graduate student Masoud Rostami told PhysOrg, "If you have a device inside your body, a person could walk by, push a button and violate your privacy, even give you a shock. He could make (an insulin pump) inject insulin or update the software of your pacemaker. But our proposed solution forces anybody who wants to read the device to touch you."
Heart-to-Heart uses the patient’s heartbeat, which is “different every second,” combined with “software in the IMD to talk to the ‘touch’ device, called the programmer. When a medical technician touches the patient, the programmer would pick up an electrocardiogram (EKG) signature from the beating heart. The internal and external devices would compare minute details of the EKG and execute a ‘handshake.’ If signals gathered by both at the same instant match, they become the password that grants the external device access.”
This system would need FDA approval as well as cooperation from device manufacturers who keep "proprietary secrets very close to the chest."