FDA issues new guidance on protecting medical devices from hackers

From the mHealthNews archive
By Mike Miliard
October 03, 2014
07:35 am

In the shadow of the latest – and quite possibly worst – cybersecurity flaw to hit healthcare, federal regulators have issued a new set of regulations to protect medical devices from Web-based attacks.

Aimed at manufacturers, the U.S. Food and Drug Administration's guidance suggests device makers take serious stock of cybersecurity risk early in the design and development process – and show documentation to the FDA about the dangers they identify and the steps they're taking to mitigate them.

The FDA also expects that manufacturers submit plans for providing patches and updates to operating systems and software as new risks crop up.

The recently discovered Shellshock bug, which analysts have said could be among "the worst of all time," poses dangers to unpatched medical devices. As one security analyst told The Washington Post, a targeted exploitation of the flaw "could allow a hacker to remotely own" technology from cellphones to medical devices.

This particular risk is fixable. The problem is that medical devices and other embedded systems depend on the vendor to make protective patches downloadable to end users.

Many organizations "have already pushed out patches – but some appear to be stopgap fixes that do not completely resolve the problem," according to the Post.

In the meantime, the device is left unsecured, and the next big threat or vulnerability, the successor to Heartbleed and Shellshock, lies undiscovered in some tangled mess of obscure code.

The FDA now expects medical manufacturers to consider such potential risks while designing devices and to have a plan to redress them with system and software updates.

As medical devices and health information technology become more interoperable, devices such as smart pumps and cardiac implantations are left vulnerable to cyberattack, posing huge risks to patient safety.

"There is no such thing as a threat-proof medical device," said Suzanne Schwartz, MD, director of emergency preparedness/operations and medical countermeasures at the FDA's Center for Devices and Radiological Health, in a press statement announcing the new recommendations. "It is important for medical device manufacturers to remain vigilant about cybersecurity and to appropriately protect patients from those risks."

The agency said it knew of no indication that "specific devices or systems have been purposely targeted, nor reports that any patients have been harmed as a result of cybersecurity breaches."

The FDA has long expressed its concerns about cybersecurity vulnerabilities, such as malware infections on network-connected devices, vendors' failure to provide timely security updates and vulnerabilities in off-the-shelf software.

Still, many security experts have found its regulatory efforts to be lacking.

In a statement, Stephen Cobb, security researcher at ESET North America, said that, "while long overdue, this move by the FDA is to be welcomed."

"Any efforts to focus attention on the security and privacy aspects of medical devices should be embraced, especially in light of the rapidly expanding adoption of consumer health devices and apps, mobile health, wearable technology and telemedicine," he added.

(This article first appeared in Healthcare IT News, a sister publication of mHealth News and part of the HIMSS Media Group).

More regional news

Healthcare provider wearing a stethoscope around their neck and scrubs sitting at a desk and looking at a computer

Care enablement platform IKS Health acquires AQuity Solutions for $200M

By
Jessica Hagen
November 01, 2023
Healthcare provider analyzing diagnostic images hanging on a wall

AI-enabled radiology performance platform Covera Health secures $50M

By
Jessica Hagen
November 01, 2023
Person standing by a large window with their back turned looking at a large mountain

FireflyVR expands leadership team with two appointments and more digital health hires

By
Jessica Hagen
October 31, 2023

Top Story

Healthcare provider wearing a stethoscope around their neck and scrubs sitting at a desk and looking at a computer
Care enablement platform IKS Health acquires AQuity Solutions for $200M

Editor's Pick

YouTube launches new products for healthcare content creators
Biofourmis CEO steps down a month after global layoffs
GE HealthCare, Mass General Brigham codevelop AI algorithm for scheduling
Mark Cuban Cost Plus Drug Company partners with pharma company, COPD Foundation
Health tracking ring company Oura partners with teletherapy platform Talkspace
Healthcare robotics platform Mendaera secures $24M

More Stories

Healthcare provider analyzing diagnostic images hanging on a wall
AI-enabled radiology performance platform Covera Health secures $50M
Person standing by a large window with their back turned looking at a large mountain
FireflyVR expands leadership team with two appointments and more digital health hires
People standing and sitting around a table with a screen showing a graph behind them
GE HealthCare stock rises with the release of Q3 earnings report
Joe Biden speaking
President Biden's executive order on AI directs HHS to establish safety program
Healthcare provider sitting at a desk looking at a computer
Midi Health expands women's care access in all 50 states
Anne Osdoit, CEO of Moon Surgical
Q&A: Moon Surgical's Maestro System and assisting in laparoscopic surgery
Two people walking and talking while one holding a tablet
Survey: ChatGPT/GenAI is influencing investors' funding strategies
Eli Levin, economic affairs and innovation, consulate general of Israel to New England
Q&A: The state of healthcare innovation in Israel