FDA releases draft guidelines to improve cybersecurity in medical devices

Stethoscope. Image courtesy of Shutterstock.

There’s no doubt that the global Internet of Things (IoT) healthcare market is growing.

Sadly, the IoT is a bit of a cybersecurity nightmare; many smart things aren’t secured properly, leaving sensitive data, and sometimes people’s health, at risk.

Cybersecurity in medical devices has been of concern for some years now – last year a security hole was found in some drug pumps which could have allowed a fatal dose to be administered, and back in 2013, the wireless capabilities of Dicky Cheney’s pacemaker were disabled to thwart hacking attempts (read assassination attempts).

The US Food and Drug Administration (FDA) is well aware of the cybersecurity risks in medical devices and for a while has been asking makers to see medical device security as a serious concern.

Now, it has issued draft guidelines to give device makers a clearer picture of the steps that need to be followed to ensure the safety of their devices.

In a statement, the agency said:

Cybersecurity threats to medical devices are a growing concern. The exploitation of cybersecurity vulnerabilities presents a potential risk to the safety and effectiveness of medical devices. While manufacturers can incorporate controls in the design of a product to help prevent these risks, it is essential that manufacturers also consider improvements during maintenance of devices, as the evolving nature of cyber threats means risks may arise throughout a device’s entire lifecycle.

Some of the key elements of this draft guidance include:

  • Apply the 2014 NIST voluntary framework for improving critical infrastructure cybersecurity.
  • Define essential clinical performance to develop solutions that offer protection from cybersecurity risks and also help respond to and recover from them.
  • Keep on top of sources that help identify and detect cybersecurity vulnerabilities.
  • Understand and assess the implications of a vulnerability.
  • Create and follow a seamless vulnerability management process.
  • Put in place and practice a well-coordinated vulnerability disclosure policy.
  • Cybersecurity risk mitigations must be deployed early and prior to exploitation.

The document is in its draft stages, and a work in progress. We’re glad to see it.

Image of stethoscope courtesy of Shutterstock.