In the wake of its recent safety communication on medical device cybersecurity, the FDA has indirectly announced that it plans to develop a cybersecurity laboratory. The new lab will use a procedure called fuzzing or fuzz testing to assess the vulnerability of medical device software to exploits by attackers. The announcement came in a solicitation published July 21 on the Federal Business Opportunities website.
According to the announcement, fuzzing is the “best way” to discover software vulnerabilities. The method “feeds a program, device or system with malformed and unexpected input data in order to find defects. Malformed, anomalous input such as overflow, underflow or repetition trigger a vulnerability in software, causing for example crashes, denial of service (DoS), security exposures or performance degradation.” Identifying such failures will allow software to be hardened against exploits before commercial release.
The lab will use Codenomicon’s Defensics software to conduct the fuzz testing.
The FDA’s notice did not explain how the agency will ultimately use the cybersecurity lab, nor did it specify how the lab might affect the medical device clearance process.