The U.S. Food and Drug Administration (FDA) released digital security guidelines for how medical “smart” devices should be secured even after they’ve already been sold to hospitals or entered patients’ bodies.
Non-Binding Security Recommendations
Due to the nature of medical devices, especially those that can be embedded into the human body, the digital security risk factor is significantly larger than for other typical “smart” devices. Those types of insecure Internet of Things (IoT) products bring their own problems--such as becoming involuntary participants in taking down major services--but they aren't usually a direct threat to people’s lives.
The FDA's guidelines aren't legally binding. Their release does mean that medical device manufacturers no longer have an excuse for not knowing how to secure their products, which is a welcome development, but vendors could still ignore the agency's recommendations and sell insecure devices.
However, the current 30-page guidance may at least become a stepping stone for future legislation. it may also ease medical device companies into the transition to securing their devices until strict, mandatory rules are put in place.
Security By Design
The FDA released a set of recommendations for properly securing devices while they are being developed and before they're shipped in 2014. The new document focuses mainly on how to secure devices after they’ve been shipped to customers, but it’s important for companies to consider a holistic approach to security. It may be more cost-effective in the long-term if there are fewer critical vulnerabilities to fix, and it would also keep patients safer.
As we’ve seen from other studies, “security by design” is a strategy that needs to be implemented by all makers of electronic devices that don’t want their devices to be compromised after they are sold to consumers, or want a lower cost with updating them over longer periods of time. This strategy is even more important for medical devices because of the direct risk to human life and because they may have to be supported for a decade or longer.
Postmarket Security Guidelines
According to Suzanne Schwartz, the FDA’s associate director for science and strategic partnerships, medical device companies should also ensure a good level of security and support for their devices after they’ve already been sold. This includes:
Having a way to monitor and detect cybersecurity vulnerabilities in their devicesUnderstanding, assessing and detecting the level of risk a vulnerability poses to patient safetyEstablishing a process for working with cybersecurity researchers and other stakeholders to receive information about potential vulnerabilities (known as a “coordinated vulnerability disclosure policy”)Deploying mitigations (e.g., software patches) to address cybersecurity issues early, before they can be exploited and cause harm
The new guidelines also recommend joining an Information Sharing and Analysis Organization (ISAO) in order to share threats with other companies and the U.S. government as they appear.
Most routine security patches won’t have to reported to the FDA unless someone dies as the result of a vulnerability or data breach. Critical vulnerabilities that pose a danger to human life would have to be reported to customers within 30 days, fixed within 60 days, and the information should be shared with an ISAO.
Chances are that at least some vendors will want to follow most (if not all) of the recommended guidelines. However, unless there's some certification or rating system, it will be difficult for patients and hospitals to know if devices have rigorous security and will be supported many years after purchase.
