Can New FDA Guidelines Stop Scary Medical Device Hacking?

Pacemakers and insulin pumps are vulnerable to cybersecurity threats

Dec 28, 2016 at 4:44 PM ET

The Food and Drug Administration (FDA) wants medical device manufacturers to stay on their toes against hackers. On Wednesday, the agency released the final version of its guidelines for how manufacturers should secure their devices against cyber threats once they’ve left the factory floor.

In recent years, researchers have repeatedly demonstrated the potential threat of medical hacking. They’ve been able to tamper with pacemakers, insulin pumps and other life-saving devices, even to the point where a malicious enough person could kill someone if they so wished. And though the FDA guidelines exclude the leaking of confidential patient info from connected devices as an example of direct patient harm, they note that’s a very real danger too.

The recommendations, all voluntary, include having manufacturers swap information with one another and regularly deploy software patches and updates to fix security vulnerabilities. They’ve also asked them to adhere to a checklist of measures established by the National Institute of Standards and Technology.

“Today’s postmarket guidance recognizes today’s reality — cybersecurity threats are real, ever-present, and continuously changing,” said Dr. Suzanne B. Schwartz, the FDA’s associate director for science and strategic partnerships at the Center for Devices and Radiological Health, in a blog post accompanying the release. “In fact, hospital networks experience constant attempts of intrusion and attack, which can pose a threat to patient safety. And as hackers become more sophisticated, these cybersecurity risks will evolve.”

The guidelines were initially released in a draft form earlier this January, followed by a comment period. These followed an earlier document published in 2014 that more focused on cybersecurity precautions companies should take before their devices hit the market.

While the guidelines are non-mandatory, there is an incentive for those who join collaborative industry groups, called Information Sharing and Analysis Organizations (ISAOs), on this issue. ISAO members will be exempt from making certain data — presumably including proprietary information — available to public disclosure via the Freedom of Information Act or other state laws. The FDA has already entered into a non-legally binding but formal partnership with one such ISAO, the National Health Information Sharing & Analysis Center. ISAO members can be groups and organizations from either the private or public sector, as well as non-profit and profit alike.

“This is clearly not the end of what FDA will do to address cybersecurity,” promised Schwartz. “We will continue to work with all medical device cybersecurity stakeholders to monitor, identify and address threats, and intend to adjust our guidance or issue new guidance, as needed.”