The FDA has published Long Awaited guidelines on the cybersecurity of medical devices.
he FDA has published long-awaited guidelines on the cybersecurity of medical devices, recommending that manufacturers of these devices consider security concerns related to hacking medical devices that allow connection to the Internet and computer networks. While nothing has been reported about specific medical devices being targeted, the agency is concerned about what could potentially happen in the future.
Perhaps the TV drama “Homeland” brought the threat into public consciousness when terrorists h a ck ed the pacemaker of fictional Vice President Walden, causing cardiac arrest and death. In addition, in 2008 it was reported that a team of computer security researchers gained wireless access to a combination heart defibrillator and pacemaker.
The FDA is recommending that manufacturers consider cybersecurity risks as they design and develop medical devices and is asking companies making the devices to give the FDA information about the potential risks they find and what controls they put in place to mitigate them. As USA Today notes (October 1, 2014), guidelines for companies covered by the FDA are, in effect, rules because the agency has the power to approve or disapprove the release of new medical devices.
Director of product marketing for threat-detection company Cyphort, Shel Sharma, explains that many devices are poorly secured and do not require a lot to hack. “If there is sufficient incentive to do so, it will happen, causing harm to patients.” Years ago medical devices were stand-alone and relative untouchable unless one was in the room with them, whereas devices today have iPad interfaces that allow wireless access, and hackers can manipulate those devices.
At a minimum, the FDA says, new medical devices should require secure authentication for access and should use encrypted communication and ensure that security patches are always added.
The FDA will hold a workshop on the issue October 21 and 22, 2014.
1. Feder BJ. A heart device is found vulnerable to hacker attacks. New York Times. March 12, 2008.http://www.nytimes.com/2008/03/12/ business/12heart-web.html?_r=0