FDA to healthcare execs on DMCA exemption: Researchers will find new medical device flaws

The FDA wants the medical device industry to quickly fix cybersecurity issues, reminding healthcare executives that they may soon be hearing about vulnerabilities more frequently from security researchers thanks to a DMCA exemption which will soon go into effect.

Although the Librarian of Congress issued the new exemptions (pdf) last year, there was a one year hold supposedly so various agencies could update their policies. It’s silly, since the exemptions are not permanent; they must be argued and renewed every three years, which basically means security researchers can take advantage of it for two years. They can hope that if their research will take longer than two years, that the exemption is renewed.

In this particular case, the exemption portion that relates to researching medical devices, reads:

A medical device designed for whole or partial implantation in patients or a corresponding personal monitoring system, that is not and will not be used by patients or for patient care.

Seth Carmody, a cybersecurity project manager at the FDA, mentioned the DMCA exemption on Monday at AdvaMed 2016, a MedTech Conference, in Minneapolis.

According to the StarTribune, Carmody told the audience that quickly fixing security vulnerabilities in medical devices has nothing to do with the FDA being their adversary, nor with being compliant. “This is about the other adversaries that we know exist out there, and working together so we can protect this critical infrastructure.”

During his remarks, Carmody noted that an exemption to the Digital Millennium Copyright Act might soon allow the public to legally probe medical devices and find security vulnerabilities. “So you may have people knocking on your door about vulnerabilities,” he said.

Looking the other way is not the correct response, even if the device is old or was made by a different company.

Rather, the FDA wants a company to do a full risk assessment and if a risk is severe, to do a “coordinated disclosure” of information about vulnerabilities and solutions.

There are right ways and wrong ways to respond to research that exposes holes in medical devices. For example, back in August, St. Jude called a report on how easily its pacemakers could be hacked “false and misleading.” Yesterday, St. Jude announced that it had formed a Cyber Security Medical Advisory Board “to advance cyber security standards in the medical device industry by working with experts and government agencies.”

There was none of that we’re-going-to-sue-you drama at the start of October when Rapid7 and Johnson & Johnson worked together to disclose three vulnerabilities in an insulin pump system. That sort of coordinated disclosure is something the FDA wants to see in the future.

Exemptions to DMCA for security research

The DMCA makes it “illegal to circumvent technological measures used to prevent unauthorized access to copyrighted works.” Section 1201 allows the Librarian of Congress to make exemptions every three years. Although the exemptions went into effect on October 28, 2015, there were stipulations to wait a year. As Cory Doctorow pointed out on Boing Boing, “The power to impose waiting times on exemptions at these hearings is not anywhere in the statute, is without precedent, and has no basis in law.” But that year is almost up, which means it’s nearly time for them to kick in.

The security research specific exemption to the DMCA starts on page 50 (pdf); it reads:

(i) Computer programs, where the circumvention is undertaken on a lawfully acquired device or machine on which the computer program operates solely for the purpose of good-faith security research and does not violate any applicable law, including without limitation the Computer Fraud and Abuse Act of 1986, as amended and codified in title 18, United States Code; and provided, however, that, except as to voting machines, such circumvention is initiated no earlier than 12 months after the effective date of this regulation, and the device or machine is one of the following:

(A) A device or machine primarily designed for use by individual consumers (including voting machines);

(B) A motorized land vehicle; or

(C) A medical device designed for whole or partial implantation in patients or a corresponding personal monitoring system, that is not and will not be used by patients or for patient care.

(ii) For purposes of this exemption, “good-faith security research” means accessing a computer program solely for purposes of good-faith testing, investigation and/or correction of a security flaw or vulnerability, where such activity is carried out in a controlled environment designed to avoid any harm to individuals or the public, and where the information derived from the activity is used primarily to promote the security or safety of the class of devices or machines on which the computer program operates, or those who use such devices or machines, and is not used or maintained in a manner that facilitates copyright infringement.

Go forth, find flaws, disclose responsibly and make the world a safer place.