The Food and Drug Administration has finalized guidance on keeping medical devices such as pacemakers and insulin pumps safe from hacks.
Device makers should develop “a structured and comprehensive program to manage cybersecurity risks” even after their products are sold, according to Dr. Suzanne Schwartz, associate director for science and strategic partnerships at the FDA's Center for Devices and Radiological Health.
The agency currently is investigating claims that St. Jude Medical's heart devices are vulnerable to hacks that could be life-threatening to patients. The allegations, made by short-selling investment firm Muddy Waters and cybersecurity company MedSec Holdings, claim St. Jude's devices "lack even the most basic forms of security.”
The FDA has been criticized for making suggestions instead of strongly regulating medical devices.
In a statement accompanying the final guidance's release, Schwartz said the FDA wants manufacturers and device users to monitor and detect cybersecurity vulnerabilities in their devices, assess the level of risk these devices pose, develop communications channels with researchers and others to share information about potential vulnerability and “patch” any vulnerabilities early “before they can be exploited and cause harm.”
Schwartz also recommended developers and use applying to their operations the cybersecurity framework developed by the National Institute of Science and Technology.
The FDA's 30-page guidance applies to any marketed and distributed medical device. Those include medical devices that contain software (including firmware) or programmable logic, software that is a medical device, such as mobile medical applications, medical devices that are part of “an interoperable system,” and so-called “legacy devices” already on the market and in use.
The newest guidance accompanies a document issued in 2014 about the cybersecurity dos and don'ts of pre-market device development.
A draft of the new, post-market guidance came out in January.
According to the FDA, the document “clarifies the agency's postmarket recommendations and emphasizes that manufacturers should monitor, identify, and address cybersecurity vulnerabilities and exploits as part of their postmarket management of medical devices.”
The 21st Century Cures Act, which became law earlier this month, “clarified” the FDA's ability to regulate certain medical devices, particularly certain mobile medical apps.
In an effort to stem the growing number of cybersecurity attacks affecting healthcare, the Healthcare Information and Management Systems Society last month called on the industry to adopt a voluntary, national cybersecurity framework of “guidelines, best practices, methodologies, procedures and processes.” HIMSS mentioned the NIST framework by name, and other healthcare security leaders said it would be a good place to start.