Get the latest tech news How to check Is Temu legit? How to delete trackers
TECH
U.S. Food and Drug Administration

FDA sets guidelines for medical devices' cybersecurity

Elizabeth Weise
USATODAY
A microarray scanner being used in a lab at the University of California-San Francisco.

SAN FRANCISCO — The Food and Drug Administration has released long-awaited guidelines on the cybersecurity of medical devices.

"There is no such thing as a threat-proof medical device," said Suzanne Schwartz, director of emergency preparedness at the FDA's Center for Devices and Radiological Health.

"It is important for medical device manufacturers to remain vigilant about cybersecurity and to appropriately protect patients from those risks," she said in a statement.

The agency is recommending that manufacturers consider cybersecurity risks as they design and develop medical devices.

Further, companies should give the FDA information about the potential risks they found and what controls they put in place to mitigate them.

The FDA will hold a national workshop on medical devices and cybersecurity on Oct. 21 and 22.

"Guidelines," for companies covered by the FDA, are in effect rules. Because the agency has the power to approve or disapprove the release of new medical devices, companies know they must follow its guidance.

While the FDA hasn't had any reports of specific medical devices being targeted by those wanting to do harm, concern over what could happen has been building for some time, because medical devices are increasingly connected to computer networks.

"Many devices are poorly secured and do not require a lot to hack. If there is sufficient incentive to do so, it will happen, causing harm to patients," said Shel Sharma, director of product marketing for Cyphort, a threat-detection company.

There are many ways a medical device could be subverted. It used to be that medical devices were stand-alone and relatively untouchable machines, unless someone with intent on harm was in the room with them.

"When it's specialized equipment, especially when it's not connected to the Internet, how do you hack that?" Chris Wysopal, chief technology officer of app security company Veracode.

Speaking at a round-table discussion on medical device security at this fall's Black Hat security conference in Las Vegas, he described one company that used to make anesthesia carts that were all "fiddly dials and knobs interface," with no Internet access.

The company has now moved to an iPad interface that allows wireless access. "Now the hackers can manipulate those devices," he said.

That's what the FDA is hoping to avoid, by pushing medical device makers to think about possible problems and their solutions before going to market.

At a minimum, medical devices should require secure authentication for access, use encrypted communication and make sure that security patches are always added.

That will require device manufacturers "to change their mindset and build security from the ground up in the devices," said Sharma.

The guidance is better late than never, said Chris Petersen, chief technology officer for LogRhythm, a security company.

"Many existing medical devices are running commercial or open source operating systems such as Windows or Linux," he said.

New vulnerabilities in these systems are being constantly discovered and patched. That's a problem, because many medical devices were developed "assuming they would never be patched, or patched rarely," he said.

The new FDA guidelines should begin to change that. But for now health care organizations must operate assuming "the adversary is inside now, or will be tomorrow. They will need to deploy security strategies that address the fact they likely have thousands of insecure, IP-enabled devices in their network," Petersen said.

Featured Weekly Ad