The US Food and Drug Administration issued draft guidelines this past week to address medical devices’ cybersecurity and give manufacturers more concrete requirements when it comes to assessing the security of their products. The agency first warned manufacturers about security vulnerabilities in June, and these guidelines build off that initial release.
The FDA wants medical device creators to pay attention to cybersecurity
Product developers are being encouraged to enact a “cybersecurity risk management program” that would have them identify and remediate vulnerabilities in their devices. It’s also suggested they devise a disclosure plan in the event that a vulnerability is discovered. Medical devices surfaced as major cybersecurity risks this past year when, for the first time, the FDA issued a warning about a specific general infusion pump. The Hospira pump was vulnerable to cyberattacks, and the FDA encouraged hospitals to get rid of the devices. The warning came nearly two months after the vulnerability was first discovered.
Still, while manufacturers have struggled to disclose bugs in the past, they will continue to carry most of the responsibility. They can alert consumers and patch vulnerabilities without giving the FDA an advanced heads up. That is, unless the bugs could result in a patient’s death. The guidelines stipulate that if a serious flaw is found it’ll have to be reported to the agency. Serious bugs would be any that compromise the device’s essential performance and could result in severe health consequences. The manufacturers also have to patch and tell consumers about the flaw within 30 days of finding out about it.
a serious vulnerability could result in death
Security patching is becoming critical during the Internet of Things era, especially when people’s well-being is at risk. Even former Vice President Dick Cheney wasn’t totally safe from cyberattacks. His pacemaker was taken offline nine years ago over worries that hackers could compromise it and kill him. The FDA plans to discuss its draft at an upcoming workshop this week and is accepting comments for 90 days.
Correction, January 20th, 9:37 AM ET: This article initially said the vulnerable Hospira pump was an insulin pump instead of a general infusion pump. The article has been changed to reflect this.
Follow topics and authors from this story to see more like this in your personalized homepage feed and to receive email updates.
