September 23, 2013
The Food and Drug Administration (FDA) announced they will begin to utilize the unique device identification (UDI) system to “indentify medical devices.”
Jeffrey Shuren, director of the Center for Devices and Radiological Health (CDRH) at the FDA, said: “UDI represents a landmark step in improving patient safety, modernizing our postmarket surveillance system for medical devices, and facilitating medical device innovation.”
The UDI system is comprised of:
• A unique number assigned by the device manufacturer to the version or model of a device, called a unique device identifier that will include production-specific information such as the product’s lot or batch number, expiration date, and manufacturing date when that information appears on the label.
• A publicly searchable database administered by the FDA, called the Global Unique Device Identification Database (GUDID) that will serve as a reference catalogue for every device with an identifier.
GUDID, as explained in the UDI final rule that will become a “reference catalog for every device with an identifier.”
The rule states: labeler is the person who causes a label to be applied to a device, or who causes the label to be modified, with the intent that the device will be introduced into interstate commerce without any subsequent replacement or modification of the label; in most instances, the labeler would be the device manufacturer, but the labeler may be a specification developer, a single-use device reprocessor, a convenience kit assembler, a repackager, or a relabeler.”
The FDA states that the public “will have access to information contained in the GUDID” through a “secure web interface” that is contained on a “web service” that is “search” term generated.
It is noted that “download capability is planned for the future.”
Medical devices from “hip replacements to pacemakers” will be tracked and databased to “help maintain medical devices inside millions of Americans.”
This implementation of tracking devices is being “ supported and promoted greatly by medical experts and advocates for public safety.”
This announcement comes after earlier this year Barnaby Jack, director of embedded device security at IOActive, mysteriously died after he revealed that he knew of a technique for hacking into implanted heart devices that “could kill a man from 30 feet away.”
Jack said that he was sure this technology “could [have] lethal consequences.”
Jack was supposed to speak at the Black Hat convention to be held in San Francisco where he was expected to demonstrate his knowledge.
This conference is supported by tech giants such as:
Jack told mainstream media in his last interview that he “had devised a way to attack heart patients by hacking into a wireless communications system that links implanted pacemakers and defibrillators with bedside monitors that gather information about their operations.”
In researching how vulnerable a new model of wireless pacemakers and Implantable Cardioverter Defibrillators (ICDs), Jack “created software for research purposes that will wirelessly scan for new model ICDs and pacemakers without the need for a serial or model number. The software then allows one to rewrite the firmware on the devices, modify settings and parameters, and in the case of ICDs, deliver high-voltage shocks remotely.”
ICDs are a “small battery-powered electrical impulse generator that is implanted in patients who are at risk of sudden cardiac death due to ventricular fibrillation and ventricular tachycardia.”
The Food and Drug Administration (FDA) issued a warning that pacemakers and hospital electrical equipment could be hacked into and pose a cybersecurity threat because of “out-of-date software” and lack of protection at internet connections.
Medical device manufacturers are being admonished by the FDA to provide the federal government with security plans as part of their approval process.
Devices have already been identified as being compromised by malware.
In 2002, researchers discovered that ICDs are prone to malfunction and those failures could induce a heart attack in patients.
Considering the back and forth between the FDA and manufacturers on whether or not ICDs are safe, it is curious that Jack suddenly dies just before he was scheduled to appear at the Black Hat conference where he was going to explain and demonstrate how a hacker could remotely control ICDs.
Jack new, through extensive research the ICDs could be used to kill people in a virtually undetectable way through hacking into the device.
However, Jack did not expose how dangerous ICDs are at the Black Hat conference.