FDA wants tighter cybersecurity for medical devices

As concerns about the hackability of medical devices mount around the world, the FDA is proposing tighter regulations for manufacturers, suggesting that companies include cybersecurity information along with clinical data when seeking approval.

In a draft guidance issued Thursday, the FDA asks devicemakers to demonstrate how they will keep their products from getting hacked and update software throughout their devices' lifespans to ensure patient safety. The agency would vet this information alongside clinical trials in the PMA process and have the right to reject a device if its cybersecurity is substandard.

The agency is looking for industry feedback on the recommendation and, barring an unlikely change of heart, the FDA will adopt the guidance later this year.

As more and more medical devices are built to wirelessly send information to physicians and databases, the FDA has seen an increase in reports of security breaches, and while it hasn't heard of any resultant patient injuries or deaths, the risk alone is reason enough to clamp down, the agency said.

The FDA's action comes after years of warnings, investigations and outrage over medical device security.

The issue first came to wide attention in 2011 when engineer Jay Radcliffe figured out how to hack his Medtronic ($MDT) insulin pump with easily obtained electronics, revealing that it could be wirelessly forced to deliver a fatal dose. Academics jumped on the bandwagon, calling into question medical device security measures, and, last year, both the Department of Homeland Security and Government Accountability Office urged the FDA to do something about the problem.

The latest guidance reflects something of a changing tide for the FDA. Last fall, when the GAO chided the agency for device security issues, FDA staff agreed in principle but said the lack of reported hackings made it a less than critical issue.

But that was before software failures became commonplace, CDRH's William Maisel told The Washington Post. The agency used to hear reports of security problems a few times a year, but "now we're hearing about them weekly or monthly," Maisel said.

- read the draft guidance (PDF)
- check out the FDA's notice
- get more from the Post

Special Report: Timeline: The industry gets serious about device hacking

Related Articles:
Study: Many hospitals don't protect devices from hackers
Citing hacking risk, lawmakers urge FDA to beef up device security
Board urges evaluation of device hacking risks