With hackers and cyberattacks increasing as threats to medical devices, the U.S. Food and Drug Administration this week published new guidance calling for developers and healthcare facilities to beef up security efforts while creating and using those devices.
In its guidelines, the FDA recommended that all device manufacturers work to:
- Limit unauthorized device access to only trusted users
- Protect individual components from exploitation
- Craft strategies for active security protections appropriate for a device's use environment
- Provide methods for retention and recovery following security breakdowns
For healthcare facilities, the FDA's recommendations included:
- Restricting unauthorized access to networks and medical devices, and tracking network activity, just in case
- Updating antivirus and firewall efforts, as well as security patches
- Creating and evaluating strategies for maintaining functionality during adverse events
"We are aware of hundreds of medical devices that have been infected by malware," Bill Maisel, deputy director for science at FDA's Center for Device and Radiological Health, told the Wall Street Journal. "It's not difficult to imagine how these types of events could lead to patient harm."
A Government Accountability Office report published last summer called on FDA to pay more attention to the information security risks for implantable electronic medical devices such as heart defibrillators and insulin pumps. At that time, FDA officials said they already had started taking steps toward fulfilling GAO's recommendations of creating a formal plan to expand its focus on IS risks.
In an interview with FierceEMR in April 2012, Dale Nordenberg--co-founder and executive director of the Medical Device Innovation, Safety and Security Consortium--called medical device cybersecurity an "emerging problem."