Copyright Office Gives the Green Light to Hacking Medical Devices
Wayne Moore
2/8/2022
Through a recent uninformed decision, the United States Copyright office has given the green light for hackers to circumvent software locks on medical devices in order to allow access to the systems internal software architecture. This errant decision was based, in part, upon an FDA letter stating that allowing hackers to do this would not “necessarily” create a cyber-security risk1.
Although the complexity involved with breaking into a medical device’s software and circumventing lockouts is beyond the capabilities of the vast majority of biomedical engineers, the hospital could outsource the hacking by tapping into a huge pool of dark space computer wizards who would be delighted to do so.
Typically, OEMs store a service-related encrypted access code on a numeric USB drive that is plugged into the ultrasound system (like the one shown below). The USB is then decrypted by punching in the code on the numeric keypad. As an added measure of security, the encrypted code is routinely changed every thirty-days or so depending on the OEM. Once the decryption code is activated, I can get into both the service diagnostics page (Secured Service Access) in the ultrasound system, as well as gain access to the Windows operating system. Once I am at this level, I can change things like the system serial number, I can turn on probes and other clinical features (that were not paid for), download patient data, upload viruses that can compromise cyber-security, and generally cause havoc within the ultrasound system in addition to gaining access to the hospital’s IT infrastructure.
So, can someone please tell me how the FDA came to the conclusion in its letter to the FTC and Copyright office that the act of hacking into a medical device is not a cyber-security issue?
Until next month,
Wayne
1 devices. FDA therefore does not share the view that an exemption from liability under 17 U.S.C § 1201 for circumvention conducted solely for the purpose of diagnosis, maintenance, or repair of medical devices would necessarily and materially jeopardize the safety and effectiveness of medical devices in the the United States with respect to cybersecurity; however, FDA has sought stakeholder