The Washington PostDemocracy Dies in Darkness

The Cybersecurity 202: The FDA is embracing ethical hackers in its push to secure medical devices

with Bastien Inzaurralde


With cyberattacks on medical devices on the rise, the Food and Drug Administration is turning to ethical hackers to help regulators and manufacturers root out vulnerabilities on machines that could put patients' lives at risk.

Medical device makers have pushed back against ethical hackers who have exposed vulnerabilities in their products, and the FDA has typically tried to stay neutral in the debate. But now agency officials say they’re embracing the “white hat” hacking community — and are stepping up efforts to collaborate.

As an example, the FDA points to its recent collaboration with a pair of security researchers who uncovered bugs in devices used to program pacemakers that could allow attackers to remotely change settings on patients’ cardiac implants. The researchers’ findings led the FDA and the manufacturer, Medtronic, to issue rare cybersecurity warnings last week. The company is halting Internet updates on tens of thousands of the devices as it works to patch the vulnerabilities. 

The FDA is looking at the research as a model for more partnerships with hackers, said Jeff Shuren, director of the FDA’s Center for Devices and Radiological Health. “It’s something that we felt is so important in this space — to be able to proactively cultivate that relationship with the researcher community, because they have an integral role to play,” he told me in a recent interview.

“We’ve also been encouraging industry to take better advantage of the researchers, to engage them,” he said. “It’s great to have folks, if [manufacturers] don’t have their own, who can kick the tires, work on vulnerabilities and work on appropriate solutions.”

The rapid spread of connected medical devices has left the health-care sector more exposed to cyberattacks than ever before — and the FDA’s embrace of ethical hackers shows the agency is willing to use nontraditional approaches to tackle the problem. While government officials and manufacturers alike have long been hesitant to showcase findings from outside researchers, the FDA is joining a growing group of federal agencies that are beginning to incorporate their work into their cybersecurity strategies.

“We’re in a very different place than we were several years ago,” Suzanne Schwartz, CDRH's associate director for science and strategic partnerships, told me. “We do see many many more researchers engaging with us as well as the manufacturing community, and vice versa. So I think that we’re changing the tide as far as that goes.” 

The discovery of the flaws in the Medtronic pacemaker programmers is a bright spot for both the FDA and ethical hackers. Security researchers Billy Rios and Jonathan Butts disclosed the potentially life-threatening vulnerabilities in the machines to Medtronic in early January 2017. More than a year later, the company issued security bulletins responding to the researchers' work, but said the vulnerabilities were “controlled,” couldn't be exploited remotely and didn’t pose an imminent threat to patients. 

After going back and forth with the company for months, Rios and Butts turned their research over to the FDA, which conducted its own analysis. And in August, at the Black Hat hacker conference in Las Vegas, they demonstrated how a hacker could manipulate settings on not just a pacemaker but an insulin pump as well. Schwartz attended the demonstration, which got a shout-out from FDA Commissioner Scott Gottlieb at the time:

Ultimately, the FDA agreed with the researchers findings, saying in its cybersecurity advisory last week that it had it had “confirmed that these vulnerabilities could allow an unauthorized user” to “change the functionality” of implanted devices. Medtronic, too, said that the bugs “could result in potential harm to a patient” if not mitigated. 

The FDA's support was a game-changer, the researchers said. “Instead of taking the manufacturer’s word for it, the FDA ran this to ground truth. And that wasn’t easy,” Rios told me. “They made it pretty clear that what we talked about at Black Hat could happen. I don’t think that we’ve ever seen that before with FDA. They did a good job here, and hopefully manufacturers in the future realize that if a researcher says this is possible they can’t just downplay it.”

The agency is working hard to court manufacturers and hackers — and hopefully ease some of the tension that has existed between the two groups, Shuren and Schwartz told me. In addition to attending the researchers’ demonstration at Black Hat, the FDA sent representatives to the Medical Device Hacking Lab at the Def Con hacking conference, where they worked with manufacturers and hackers to test medical devices against cybersecurity threats.

“I think everyone’s been on a journey,” Shuren said. “Certainly for the industry, for the agency, for researchers, we’re dealing with an emerging area regarding risk.”

The outreach is part of a broader set of efforts at the FDA to safeguard medical devices against digital attacks. This month, the agency unveiled a suite of new initiatives to improve device security, including a playbook to help health-care organizations respond to cyberattacks and plans for new forums to help manufacturers share information about potential vulnerabilities and threats. And just this week, the FDA announced a new partnership on device security with the Department of Homeland Security, which is tasked with protecting the health-care sector at large from cyberattacks.

“The more forward-leaning we are in sharing that information,” Schwartz said, “the better we feel our posture will be across the entire health-care sector.”


PINGED: Christopher C. Krebs, undersecretary for the Department of Homeland Security's National Protection and Programs Directorate, said Tuesday that "a report on an increased number of cyberattacks on election infrastructure points to a rise in reporting the attempted hacks and not necessarily a spike in the attacks themselves,” according to the Hill's Jacqueline Thomsen.

“Are we seeing an uptick? I don’t know if we are,” Krebs said, as quoted by Thomsen. “I think we’re seeing a consistent and persistent level of activity.” Citing an intelligence assessment by DHS issued last week, NBC News's Pete Williams and Ken Dilanian wrote on Monday that the agency had noticed “an increasing number of attempted cyber attacks on U.S. election databases ahead of next month's midterms.”

Separately on Monday, DHS downplayed a report by the cybersecurity companies Anomali Labs and Intel 471 stating that they found voter records from 19 states for sale on a hacking forum, Defense One's Patrick Tucker reported. “DHS is aware of the report. It is important to note that much of information purportedly being sold is available in most states either publicly or commercially,” a DHS spokesman told Tucker in an email. “It does not appear that this data is indicative of a successful breach of state or local election infrastructure.”

PATCHED: The United States and the European Union maintain a “strong partnership” in support of a “global, open, stable and secure cyberspace” that promotes values such as the rule of law and human rights, according to a press release released Tuesday by the State Department. The statement was issued following the fifth meeting of the E.U.-U.S. Cyber Dialogue last month in Brussels. “The EU and United States reaffirmed their strong commitment to human rights and fundamental freedoms online and condemned undue restrictions on freedom of expression and censorship in violation of international human rights law,” the statement said.

Additionally, American and European authorities both support the development of measures to help “reduce misperceptions and the risk of escalation” in cyberspace, according to the press release. “In order to keep cyberspace stable and secure, the EU and United States are committed to hold States accountable for actions that are contrary to the growing consensus on responsible state behaviour in cyberspace,” the statement said. “The EU and United States affirmed the need to strengthen their cooperation in this regard, through both continued dialogue and practical collaborative efforts.”

PWNED: Here's a reminder that the United States is not alone in worrying about Russian election interference. “European Union officials are bracing for attempted meddling by Russia-backed operatives and their copycats ahead of the bloc’s elections in the spring, where far-right parties are set to make gains,” Bloomberg News's Natalia Drozdiak reported Tuesday. “That’s led the bloc to bolster its defenses against cyber-attacks and pressure tech platforms to ramp up the fight against misinformation.”

Bloomberg News reported that Europeans are particularly worried about online influence operations. “Officials in Europe are concerned about potential attacks targeting voting technology but especially those designed to try to manipulate voting behavior, for instance by leaking documents, hacking or spreading fake news articles or misleading information,” Drozdiak wrote.

Officials in Europe are also considering stepping up deterrence efforts. “EU governments are set to pledge to further strengthen deterrence and resilience against cyber and other threats at a gathering of leaders in Brussels this week, according to a draft of the conclusions seen by Bloomberg,” Drozdiak reported. “The U.K., the Netherlands and other EU governments have pushed the bloc to expand the scope of its sanctions regime to target individuals and organizations behind cyber-attacks, potentially including activities that seek to interfere in elections.”


— “Just over two-thirds of federal email domains met a Homeland Security Department deadline Tuesday to install and be fully protected by a tool that guards against email phishing scams, according to a tally from the Global Cyber Alliance,” Nextgov's Joseph Marks reported. “About one-fifth of agency web domains appear not to have even begun installing the tool, known as DMARC, the organization found. That figure comes after a year of staggered deadlines to implement DMARC, which verifies that emailers are who they say they are.”

— “A 21-year-old Kentucky man who previously admitted to creating and selling a ‘remote access trojan’ (RAT) known as LuminosityLink has been sentenced to 30 months in federal prison,” Ars Technica's Cyrus Farivar reported Tuesday. “Colton Grubbs had previously pleaded guilty to conspiracy to unlawfully accessing computers in the furtherance of a criminal act, among other crimes. When Grubbs was first charged, he claimed LuminosityLink was a legitimate tool for system administrators, and he never intended for it to be used maliciously. He reversed course in a plea agreement he signed in July 2017.”

— More cybercurity news from the public sector:

Mueller Ready to Deliver Key Findings in His Trump Probe, Sources Say (Bloomberg News)

House Russia-probe witness invokes Fifth Amendment as Trump urges firing of DOJ official connected to dossier (Karoun Demirjian)

Judge rules against voting security advocates in Tennessee (Associated Press)

New York Attorney General Expands Inquiry Into Net Neutrality Comments (The New York Times)


— “Public companies that are easy targets of cyber scams could be in violation of accounting rules that call for firms to safeguard assets, the Securities and Exchange Commission said Tuesday,” the Wall Street Journal's Ezequiel Minaya reported. “The SEC said in an investigative report that nine public companies wired nearly $100 million to hackers who impersonated corporate executives or vendors using emails. One company made 14 wire payments to a hacker, resulting in more than $45 million in losses, the SEC said. The agency declined to punish the companies, which weren’t identified.”

— More cybersecurity news from the private sector:

Facebook’s former security chief warns of tech’s ‘negative impacts’ — and has a plan to help solve them (Craig Timberg and Elizabeth Dwoskin)

Slack Doesn’t Have End-to-End Encryption Because Your Boss Doesn’t Want It (Motherboard)

Google really is trying to build a censored Chinese search engine, its CEO confirms (Brian Fung)

An Army Veteran Wages War on Social Media Disinformation (The Wall Street Journal)


— “Apple apologized over the hacking of some Chinese accounts in phishing scams, almost a week after it emerged that stolen Apple IDs had been used to swipe customer funds,” the Wall Street Journal's Yoko Kubota reported. “In its English statement Tuesday, Apple said it found ‘a small number of our users’ accounts’ had been accessed through phishing scams. ‘We are deeply apologetic about the inconvenience caused to our customers by these phishing scams,’ Apple said in its Chinese statement. The incident came to light last week when Chinese mobile-payment giants Alipay and WeChat Pay said some customers had lost money.”

— More news about security incidents:

Facebook hack affected 3 million in Europe, creating the first big test for privacy regulation there (CNBC)


— “A new NATO military command center to deter computer hackers should be fully staffed in 2023 and able to mount its own cyber attacks but the alliance is still grappling with ground rules for doing so, a senior general said on Tuesday,” Reuters's Robin Emmott reported. “While NATO does not have its own cyber weapons, the U.S.-led alliance established an operations center on Aug. 31 at its military hub in Belgium. The United States, Britain, Estonia and other allies have since offered their cyber capabilities.”

— More cybersecurity news from abroad:

Hackers accused of ties to Russia hit 3 East European companies: cybersecurity firm (Reuters)

Facebook requires UK political ad buyers to reveal identity (Associated Press)



  • DC CyberWeek organized by CyberScoop in Washington through Friday.
  • The Atlantic Council holds a panel discussion on the protection of critical infrastructure.

Coming soon


U.S. considers sanctions on China's Muslim crackdown:

The U.S. State Department on Sept. 12, expressed deep concern over China’s “worsening crackdown” on minority Muslims in the Xinjiang region. (Video: Reuters)

Polio-like “mystery illness” spreads to 22 states:

A sharp spike in cases of pediatric acute flaccid myelitis, or AFM, is raising red flags with health officials. (Video: Reuters)

Texas students are now required to watch this video on police interaction:

Students in Texas public high schools will be required to watch a 16-minute video on police interaction. This is a portion of that footage. (Video: Texas Education Agency)