The Food and Drug Administration has issued its final guidance on protecting medical devices like pacemakers and insulin pumps from cyberattacks. To start with, it wants manufacturers to boost their cybersecurity measures by incorporating a way to monitor and detect vulnerabilities into the products they make. The FDA also wants them to establish a process for receiving information about potential vulnerabilities from cybersecurity researchers. If they do detect any exploitable flaw, the agency wants the companies to assess the risk it poses to patients. Finally, it wants the medical device makers to issue software patches to fix any vulnerability it finds.
According to the FDA, this final guidance “recognizes today’s reality” that “cybersecurity threats are real, ever-present and continuously changing.” It applies to all medical devices, including those already out on the market such as those manufactured by St. Jude Medical. The agency is currently investigating St. Jude’s products after an investment firm and a cybersecurity company claimed that they lack even the most basic form of cybersecurity.
The FDA promises to adjust its guidance or even issue a new one if needed, since cyberthreats can evolve and hackers can become even more capable:
“Digital connections power great innovation — and medical device cybersecurity must keep pace with that innovation. The same innovations and features that improve health care can increase cybersecurity risks. This is why we need all stakeholders in the medical device ecosystem to collaborate to simultaneously address innovation and cybersecurity. We’ve made great strides but we know that cybersecurity threats are capable of evolving at the same pace as innovation, and therefore, more work must be done.”