FDA joins chorus of concern about cybersecurity threats

The FDA jumped off the sidelines in the ongoing discussion about threats to networked medical devices, issuing draft guidance to manufacturers and others to take additional precautions against cyberattacks that endanger patients.

With the agency harping on cyberthreats, IT security consultants and software groups might find a more receptive audience with medical device makers. Manufacturers are typically loath to support additional regulatory hurdles, but they face inevitable change because so many of their products, including fetal monitors and implanted defibrillators, contain computers that expose them to hackers and software viruses. Security breaches threaten the function of the devices and safety of the patients who depend on them.

"There's almost no medical device that doesn't have a network jack on the back," said John Halamka, chief information officer at Beth Israel Deaconess Medical Center in Boston, as quoted by The Washington Post. "To fight the evils of the Internet, not only do you have to have a moat, you have to have a drawbridge, burning oil to pour on attackers, and guys with arrows."

Albeit without the metaphors of medieval defenses, the FDA also sees a need for layers of security against cyberattacks. Amid multiple recommendations, the agency called for fail-safe modes in devices that would keep the products functioning in the event of a breach. Regulators put some teeth in their guidance issued on Thursday, saying that manufacturers should include plans for thwarting cybersecurity threats in their submissions for product market clearances.

Presumably, devicemakers would risk a denial from the agency for submissions that fail to include plans that mitigate the cyberthreats to devices. The agency also issued a communication with advice for hospital networks in addition to devices to secure interconnected medical equipment and systems.

As FierceMedicalDevices reported, the cyberthreats to medical devices have been an issue for years. The concern was amplified a couple of years ago when a tech-savvy patient hacked into a computer in his Medtronic insulin pump and exposed an opening for a hacker to manipulate the device to deliver a lethal dose.

Yet there have been no documented cases in which hackers have mounted such attacks on patient devices, and manufacturers have used this fact in their arguments that the benefits of their products outweigh the risks, The Wall Street Journal reported.

Until recently, the FDA had even downplayed the magnitude of the hacking and malware threats to devices. Yet the Government Accountability Office and U.S. Department of Homeland Security pushed the agency to address the issue, and now software experts have another avenue of entry into the medical devices industry.

- here's the FDA's notice
- see the draft guidance (PDF)
- check out the story from FierceMedicalDevices
- read the Washington Post's article
- and the Wall Street Journal's coverage (sub. req.)

Special Report: Timeline: The industry gets serious about device hacking