WHY THIS MATTERS IN BRIEF
More and more implanted medical devices are becoming connected devices and this exposes them to cyberattacks, the FDA’s new cybersecurity guidance hopes to curtail, and prevent deaths that might result from an attack on people’s IMD’s.
You have a pace maker. It’s hacked. You’re dead. Sorry about that, but the company that built it didn’t think that would happen.
That’s the reality faced by millions of people today who have Implanted Medical Devices (IMD) in their bodies, such as pacemakers and insulin pumps, that were never designed to cope, or protect against targeted cyber attacks and which are increasingly just one of a growing collection of “connected devices”.
In 2016 in the US alone doctors fitted over 350,000 pacemakers and 140,000 Implantable Cardioverter Defibrillators (ICD), globally it’s estimated that that figure is well over a million units per year, and that doesn’t take into account all of the other IMD’s.
This week the Food and Drug Administration (FDA) issued its final guidance, entitled “Postmarket Management of Cybersecurity in Medical Devices,” on protecting medical devices from cyberattacks.
The FDA wants manufacturers to boost their cybersecurity measures by incorporating ways to monitor and detect vulnerabilities in the products they make. They also want manufacturers to create a system, a little akin to Microsoft, or Google’s bug bounty systems, that allow them to receive information about potential vulnerabilities from cybersecurity researchers, and if they come across an exploitable flaw then the agency wants the companies to assess the risk they pose to patients. Finally, it wants the medical device makers to issue software patches to fix any vulnerability it finds.
All in all it’s not ground breaking, but then it doesn’t have to be. By simply establishing guidelines and a foundation for detecting, managing and fixing vulnerabilities the FDA is prompting manufacturers into action.
According to the FDA, this final guidance “recognizes today’s reality that cybersecurity threats are real, ever present and continuously changing,” and the new guidelines apply to all medical devices, including those already out on the market such as the ones manufactured by St. Jude Medical, who recently became the target of a hedge fund who shorted their stock and sent their stock price down 5% after they released research claiming the devices were vulnerable to cyber attack. The FDA are now investigating.
The FDA promises to adjust its guidance or even issue a new one if needed, since cyberthreats can evolve and hackers can become even more capable.
“Digital connections power great innovation, and medical device cybersecurity must keep pace with that innovation. The same innovations and features that improve health care can increase cybersecurity risks. This is why we need all stakeholders in the medical device ecosystem to collaborate to simultaneously address innovation and cybersecurity. We’ve made great strides but we know that cybersecurity threats are capable of evolving at the same pace as innovation, and therefore, more work must be done,” they said in a statement.