The U.S. Government has taken steps it hopes will better protect the users of medical devices, such as pacemakers and insulin pumps, from cyberattacks. For years now the risks of connected medical devices have been demonstrated and well-known. It’s an area we’ve covered here for some time.
Well, last week, the U.S. Food and Drug Administration provided medical device makers rules and guidelines that will hopefully help manufacturers to better design, build, and manage devices that are reasonably safe from digital attack. "Cybersecurity threats are real, ever-present and continuously changing," wrote Suzanne Schwartz, Suzanne Schwartz, the FDA’s associate director for science and strategic partnerships, at the Center for Devices and Radiological Health. "As hackers become more sophisticated, these cybersecurity risks will evolve," she said.
In an attempt to get ahead of those evolving threats, the FDA published its 30-page guide that not only helps device makers better identify flaws in products after they’ve shipped, but also better work with bugfinders who identify flaws. These are also two issues traditional software makers still find challenging, but have built processes that have improved their relationship and success with security researchers. In hasn’t always been this way with traditional software makers, going back to the early 2000s many vendors still had adversarial relationships with software bugfinders.
In the blog post announcing the guidance, the FDA details: that medical device manufacturers should implement a structured and comprehensive program to manage cybersecurity risks. This means manufacturers should, among other things:
- Have a way to monitor and detect cybersecurity vulnerabilities in their devices
- Understand, assess and detect the level of risk a vulnerability poses to patient safety
- Establish a process for working with cybersecurity researchers and other stakeholders to receive information about potential vulnerabilities (known as a “coordinated vulnerability disclosure policy”)
- Deploy mitigations (e.g., software patches) to address cybersecurity issues early, before they can be exploited and cause harm
This approach enables manufacturers to focus on continuous quality improvement, which is essential to ensuring the safety and effectiveness of medical devices at all stages in the device’s lifecycle, Schwartz wrote.
She also recommended that manufacturers and stakeholders across the entire ecosystem to consider applying the National Institute of Standards and Technology’s (NIST) core principles for improving critical infrastructure cybersecurity: to identify, protect, detect, respond and recover from risk.
“This is clearly not the end of what FDA will do to address cybersecurity. We will continue to work with all medical device cybersecurity stakeholders to monitor, identify and address threats, and intend to adjust our guidance or issue new guidance, as needed,” she wrote. “The same innovations and features that improve health care can increase cybersecurity risks. This is why we need all stakeholders in the medical device ecosystem to collaborate to simultaneously address innovation and cybersecurity. We’ve made great strides but we know that cybersecurity threats are capable of evolving at the same pace as innovation, and therefore, more work must be done,” she continued.
Let’s hope that both the FDA and medical device makers are successful at these goals, and can do so much more swiftly than the software industry – there is certainly a much more narrow margin of error and more at stake for the users.