Medical device makers have pushed back against ethical hackers who have exposed vulnerabilities in their products, and the FDA has typically tried to stay neutral in the debate. But now agency officials say they're embracing the "white hat" hacking community - and are stepping up efforts to collaborate.
As an example, the FDA points to its recent collaboration with a pair of security researchers who uncovered bugs in devices used to program pacemakers that could allow attackers to remotely change settings on patients' cardiac implants. The researchers' findings led the FDA and the manufacturer, Medtronic, to issue rare cybersecurity warnings last week. The company is halting Internet updates on tens of thousands of the devices as it works to patch the vulnerabilities.
The FDA is looking at the research as a model for more partnerships with hackers, said Jeff Shuren, director of the FDA's Center for Devices and Radiological Health. "It's something that we felt is so important in this space - to be able to proactively cultivate that relationship with the researcher community, because they have an integral role to play," he told me in a recent interview.
"We've also been encouraging industry to take better advantage of the researchers, to engage them," he said. "It's great to have folks, if [manufacturers] don't have their own, who can kick the tires, work on vulnerabilities and work on appropriate solutions."
The rapid spread of connected medical devices has left the health-care sector more exposed to cyberattacks than ever before - and the FDA's embrace of ethical hackers shows the agency is willing to use nontraditional approaches to tackle the problem. While government officials and manufacturers alike have long been hesitant to showcase findings from outside researchers, the FDA is joining a growing group of federal agencies that are beginning to incorporate their work into their cybersecurity strategies.
"We're in a very different place than we were several years ago," said Suzanne Schwartz, CDRH's associate director for science and strategic partnerships. "We do see many many more researchers engaging with us as well as the manufacturing community, and vice versa. So I think that we're changing the tide as far as that goes."
The discovery of the flaws in the Medtronic pacemaker programmers is a bright spot for both the FDA and ethical hackers. Security researchers Billy Rios and Jonathan Butts disclosed the potentially life-threatening vulnerabilities in the machines to Medtronic in early January 2017. More than a year later, the company issued security bulletins responding to the researchers' work, but said the vulnerabilities were "controlled," couldn't be exploited remotely and didn't pose an imminent threat to patients.
After going back and forth with the company for months, Rios and Butts turned their research over to the FDA, which conducted its own analysis. And in August, at the Black Hat hacker conference in Las Vegas, they demonstrated how a hacker could manipulate settings on not just a pacemaker but an insulin pump as well. Schwartz attended the demonstration, which got a shout-out from FDA Commissioner Scott Gottlieb at the time.
Ultimately, the FDA agreed with the researchers findings, saying in its cybersecurity advisory last week that it had it had "confirmed that these vulnerabilities could allow an unauthorized user" to "change the functionality" of implanted devices. Medtronic, too, said that the bugs "could result in potential harm to a patient" if not mitigated.
The FDA's support was a game-changer, the researchers said. "Instead of taking the manufacturer's word for it, the FDA ran this to ground truth. And that wasn't easy," Rios told me. "They made it pretty clear that what we talked about at Black Hat could happen. I don't think that we've ever seen that before with FDA. They did a good job here, and hopefully manufacturers in the future realize that if a researcher says this is possible they can't just downplay it."
The agency is working hard to court manufacturers and hackers - and hopefully ease some of the tension that has existed between the two groups, Shuren and Schwartz said. In addition to attending the researchers' demonstration at Black Hat, the FDA sent representatives to the Medical Device Hacking Lab at the Def Con hacking conference, where they worked with manufacturers and hackers to test medical devices against cybersecurity threats.
"I think everyone's been on a journey," Shuren said. "Certainly for the industry, for the agency, for researchers, we're dealing with an emerging area regarding risk."
The outreach is part of a broader set of efforts at the FDA to safeguard medical devices against digital attacks. This month, the agency unveiled a suite of new initiatives to improve device security, including a playbook to help health-care organizations respond to cyberattacks and plans for new forums to help manufacturers share information about potential vulnerabilities and threats. And just this week, the FDA announced a new partnership on device security with the Department of Homeland Security, which is tasked with protecting the health-care sector at large from cyberattacks.
"The more forward-leaning we are in sharing that information," Schwartz said, "the better we feel our posture will be across the entire health-care sector."