The FDA has issued a 30-page document addressing cyber vulnerabilities in medical devices, providing manufacturers with guidelines for fixing security bugs in equipment, including pacemakers, insulin pumps, and imaging systems, according to a Reuters report.
The agency released the guidance as it investigates claims that heart devices from St. Jude Medical, Inc., are vulnerable to life-threatening hacks. The allegations, which surfaced in August, underscore the need for government rules on identifying and mitigating the impact of security vulnerabilities in medical equipment, the agency said.
A growing number of medical devices are designed to be networked to facilitate patient care, the document points out. However, like other networked computer systems, networked medical devices incorporate software that may be vulnerable to cybersecurity threats.
According to Suzanne Schwartz, a senior FDA official who helped draft the new rules, these threats are real, ever-present, and continuously changing. “And as hackers become more sophisticated, these cybersecurity risks will evolve,” she said.
The FDA document states that the agency “recognizes that medical device cybersecurity is a shared responsibility among stakeholders, including health care facilities, patients, providers, and manufacturers of medical devices. Failure to maintain cybersecurity can result in compromised device functionality, loss of data (medical or personal) availability or integrity, or exposure of other connected devices or networks to security threats. This in turn may have the potential to result in patient illness, injury, or death.”
In February 2013, President Obama issued Executive Order 13636 “Improving Critical Infrastructure Cybersecurity,” which recognized that “resilient infrastructure is essential to preserving national security, economic stability, and public health and safety in the United States.” The following year, the FDA issued guidance on how manufacturers should address cybersecurity when developing new products, although the rules did not cover equipment that was already on the market. In 2015, the agency advised hospitals to stop using one of Hospira’s infusion pumps, saying a security vulnerability could allow cyber attackers to take remote control of the system.
The new guidelines detail how manufacturers can identify and fix cyber vulnerabilities in marketed products.