New FDA Guidance Aims to Prevent Med Device Hack Attacks
On December 27, 2016, the FDA released a 30-page guidance intended to address cyber vulnerabilities in medical devices. The rules include guidelines for manufacturers for fixing security problems in equipment, including insulin pumps, pacemakers, and imaging systems. [1]
Says Suzanne Schwartz, a senior Food and Drug Administration official who helped draft the new rules:
“In today’s world of medical devices that are connected to a hospital’s network or even a patient’s own internet service at home, we see significant technological advances in patient care and, at the same time, an increase in the risk of cybersecurity breaches that could affect a device’s performance and functionality. [2]
Cybersecurity threats are real, ever-present and continuously changing. And as hackers become more sophisticated, these cybersecurity risks will evolve.” [1]
Read: Could Hackers Really Hijack Your Medical Device?
The guidelines’ release comes as the FDA investigates claims from a short-selling firm and security researchers that St. Jude Medical Inc.’s heart devices are vulnerable to life-threatening hacks.
Back in 2014, the FDA issued guidelines dealing with how medical device makers should prevent cyber-attacks when developing new products, but the recommendations did not address equipment that was already on the market.
The new guidelines direct manufacturers in identifying and fixing cyber vulnerabilities in devices already on the market. The FDA is urging manufacturers to make it easier for security researchers to identify new bugs.
The potential for hack attacks on medical devices is very real, and the FDA has been warning the healthcare industry about it for years. The agency advised hospitals in 2015 to stop using an infusion pump manufactured by Hospira Inc. after it was discovered that hackers could remotely control the system, potentially delivering too much or too little medication to patients. Researchers have also been able to tamper with defibrillators, pacemakers, and insulin pumps.
Read: Security Experts – St. Jude Heart Devices Can Be Hacked
Another concern is that hackers could gain access to hospital networks that store patient information, which could be an identity theft nightmare.
Schwartz said:
“In fact, hospital networks experience constant attempts of intrusion and attack, which can pose a threat to patient safety. And as hackers become more sophisticated, these cybersecurity risks will evolve.” [3]
Most patches and security updates employed by manufacturers will be considered routine enhancements that won’t require manufacturers to notify the FDA each time they issue one. The manufacturer must alert the FDA only if someone dies or is seriously injured because of a bug.
Bugs that are caught before anyone is harmed won’t have to be reported to the FDA as long as the manufacturer informs customers and users about it within 30 days, fixes it within 60 days, and shares information about the vulnerability with an ISAO (Information Sharing and Analysis Organization).
However, it’s important to note that none of the FDA’s recommendations are legally enforceable, so you must simply trust that manufacturers are staying abreast of security updates and threats.
Sources:
[1] Reuters
[2] CNET
[3] The Verge