On October 1 the US Food and Drug Administration (FDA) issued final guidance regarding cybersecurity for medical devices. The FDA guidelines urge device manufacturers to include safety controls on devices to prevent cyber threats and recommend manufacturers outline the necessary steps that will be taken if their devices are found to be vulnerable to breaches. This guidance finalizes the draft guidance published last year published in response to the U.S. Department of Homeland Security’s warning about cyber-attacks on medical devices.
The FDA’s concerns about cybersecurity vulnerabilities include malware infections on network-connected medical devices or computers, smartphones, and tablets used to access patient data; unsecured or uncontrolled distribution of passwords; failure to provide timely security software updates and patches to medical devices and networks; and security vulnerabilities in off-the-shelf software design to prevent unauthorized access to the device or network. While the FDA has not yet had any reports of specific medical devices being targeted, there is concern about what could happen in the future as medical devices are increasingly connected to computer networks.
At a minimum, this guidance outlines that medical device manufacturers should require secure authentication for access, use encryption, and ensure that security patches are added when necessary. The FDA is working closely with other agencies and stakeholders and is planning a public workshop this fall entitled “Collaborative Approaches for Medical Device and Healthcare Cybersecurity” to discuss how to strengthen medical device cybersecurity.