FDA beefs up cybersecurity efforts to ensure safety standards

Amid growing concerns over the hackability of medical devices, the FDA is beefing up its cybersecurity efforts to rally devicemakers and ensure new safety standards.

As MassDevice reports, federal regulators have teamed up with industry groups to establish more stringent rules for cybersecurity, ensuring that more devices pass muster. Last year, the FDA issued a formal guidance for the management of cybersecurity in medical devices, outlining steps for manufacturers to take when submitting a device for premarket approval (PMA). The agency also created a "cybersecurity laboratory," which stages deliberate cybersecurity attacks to sniff out any defects that could leave a device open to attack.

While some devicemakers remain tentative about the FDA's oversight, complying with the agency's new protocol could be critical in gaining premarket approval, Battelle engineering manager Melissa Masters told MassDevice. A higher-level guidance is likely to come, and devicemakers will be sent back to square one if their device does not meet regulators' standards.

"Within the year, I would guess that we're going to start seeing devices turned away from the FDA and not getting 510(k) clearance or [premarket approval] because they have not taken cybersecurity concerns from the beginning and integrated that to the process appropriately," Masters said. "It's going to be unfortunate, because I also think that a lot of companies don't have this expertise within their organizations already."

CDRH's William Maisel

Big-name companies like Medtronic ($MDT) have already jumped on the bandwagon and are instituting new security measures to protect their devices from external attacks. In 2011, Jay Radcliffe made headlines when he demonstrated that he could rig his Medtronic insulin pump with radio waves to deliver fatal doses. After initially dismissing his claims, the company then agreed to sit down with Radcliffe in 2012 to discuss security risks.

The Department of Homeland Security and the Government Accountability Office took note and urged the FDA to address the mounting chorus of cybersecurity complaints. The agency published draft guidance last June calling for tighter regulation of the devices during the PMA process and issued new cybersecurity rules to devicemakers last August.

"It's not hard to see where the technology is going," William Maisel of the FDA's Center for Devices and Radiological Health (CDRH) told Bloomberg. "It's not just about the vulnerability in the one implantable device the researcher was able to get into. We're headed to interconnectedness, to connected healthcare."

- read the MassDevice story
- get the Bloomberg article
- here's the FDA's cybersecurity draft guidance (PDF)

Special Report: Timeline: The industry gets serious about device hacking