- The US Food and Drug Administration issued a set of recommendations for securing medical devices.
- Robust cybersecurity is an ongoing process that requires maintenance and regular software updates.
The U.S. Food and Drug Administration issued a final guidance addressing the cyber vulnerabilities in medical devices, outlining the guidelines for manufacturers on security of internet-connected devices such as pacemakers and insulin pumps.
With the guidelines, the FDA said manufacturers must build cybersecurity controls into medical devices during the development process. Further, they should establish, document and maintain the identification of hazards throughout the device life cycle as part of risk management.
‘Unlike smartphones and consumer computers that regularly see over-the-air software updates, things like pacemakers and defibrillators are more likely to be left alone once they enter the market, making them an easy mark for would-be attackers.’
Some in the healthcare industry have long criticized the FDA for only giving suggestions to fix these major security flaws rather than offering official guidelines.
"Today's post-market guidance recognizes today's reality, Cybersecurity threats are real, ever-present and continuously changing," said Suzanne B. Schwartz, MD, the FDA's associate director for science and strategic partnerships, said in a statement. "As hackers become more sophisticated, these cybersecurity risks will evolve."
The FDA recommends manufacturers continually monitor cybersecurity vulnerabilities of devices and should create a program to mitigate these risks.
Additionally, they should assess vulnerabilities in their products and how they could affect patients, while working with researchers to better understand potential cyber risks. Manufacturers should also address issues early on before an exploit can occur, through deployed mitigations, such as software patches.
The FDA also stressed that it's important for developers to apply the core rules of National Institute of Standards and Technology to improve cybersecurity infrastructure.
The 30-page guidance was released as the FDA investigates claims that St. Jude Medical's heart devices are vulnerable to attacks that can endanger patient lives. FDA guidance released in 2014 addressed cybersecurity needs during new device development, but failed to include devices currently on the market.
"It's only through application of these guiding principles, executed alongside best practices such as coordinated vulnerability disclosure, that will allow us all to navigate this uncharted territory of evolving risks to device security," Schwartz said.
"This is clearly not the end of what FDA will do to address cybersecurity," she added. "We'll continue to work with all medical device cybersecurity stakeholders to monitor, identify and address threats and intend to adjust our guidance or issue new guidance, as needed."