FDA to med device makers: We must work together on security

The U.S. Food and Drug Administration and manufacturers must work together to fix security flaws in medical devices, Seth Carmody, cybersecurity project manager with the FDA, told healthcare executives at a Minneapolis convention Monday.

“This isn't about the FDA being your adversary," Carmody told an audience at the medical device industry conference AdvaMed 2016, the Star Tribune reports. "This is not about you being compliant. This is about the other adversaries that we know exist out there, and working together so we can protect this critical infrastructure."

Carmody said he had fielded calls from device makers’ security pros who wanted to have an “informal chat” with the FDA, but others within their organizations had warned them against sharing information with the federal agency. That, he said, indicates the need for cultural change in that mindset.

“Cybersecurity is going to be a group effort, a whole community approach," Carmody said.

He pointed out that device makers soon might have more security investigators knocking on their doors as changes to the Digital Millennium Copyright Act, due to go into effect next month, allow the public to legally search for and report security vulnerabilities.

In just the past few months, cybersecurity vulnerabilities have made headlines, with Johnson & Johnson self-reporting risks associated with its Animas One Touch Ping insulin pump, and investment firm Muddy Waters reporting issues with implantable heart devices made by St. Jude Medical. However, St. Jude calls those allegations false and has sued for defamation.

Still, St. Jude just announced this week the formation of a medical advisory board focused on cybersecurity issues. It said its own security pros, as well as outside experts, will work together on the new panel, Reuters reports.