FDA Wants to Protect High-Tech Medical Devices From Hackers

sfam_photo/Shutterstock.com

In new draft guidance, FDA tells device manufacturers to take responsibility for cybersecurity vulnerabilities.

The Food and Drug Administration aims to ensure hackers can’t remotely access or control medical devices, and it’s asking the private sector to do more to protect those devices.

Earlier this month, FDA issued draft guidance directing manufacturers to conduct “postmarket” evaluation of their devices, ensuring device security vulnerabilities won’t affect clinical performance.

“Because cybersecurity risks to medical devices are continually evolving, it is not possible to completely mitigate risks through premarket controls alone,” the document said.

Last year, for instance, FDA issued a safety advisory about a security flaw in pharmaceutical company Hospira Inc.‘s infusion pump system, after a researcher informed it about the possibility of accessing the system through the hospital’s network remotely.

Though FDA wasn’t aware of patient injuries related to that incident or similar security flaws in other devices, “these vulnerabilities could allow unauthorized users to control the infusion pump and modify the dosage it delivers, potentially leading to over- or underinfusion of critical patient therapies,” the agency wrote on its website.

The draft guidance, open for public comment over the next 90 days, directs manufacturers to better understand and assess the “presence and impact” of vulnerabilities, to implement “a coordinated vulnerability disclosure policy,” and to address cyber risk before vulnerabilities can be exploited, among other recommendations.

Even if security vulnerabilities don’t seem to impact the clinical performance of the device, they should be evaluated for “future impact,” FDA wrote.

The guidance comes almost a year after President Barack Obama issued an executive order directing the public and private sectors to share more information about cybersecurity, and to develop joint Information Sharing Analysis Organizations, or ISAOs.

FDA’s Center for Devices and Radiological Health is working with an ISAO called the National Health Information Sharing & Analysis Center, the draft noted.

Still, the draft acknowledged medical devices can’t be completely secured against cyberthreats, especially as “design, architecture, technology, and software development environment choices may result in the inadvertent incorporation of vulnerabilities.”

(Image via /Shutterstock.com)