In an effort to prevent data theft and potentially even life threatening malicious attacks, the U.S. Food and Drug Administration has issued final guidance on cybersecurity for connected medical devices.
The non-binding agreement suggests methods in which medical device manufacturers can help to maintain the security of their networked devices once they are in use by patients.
Specifically, the guidance hits on four key points that FDA officials believe manufacturers should adhere to:
- Have a way to monitor and detect security of devices
- Understand, assess and detect the level of risk a vulnerability poses to the safety of the patient
- Establish a process for working with researchers and other stakeholders to receive information about potential vulnerabilities
- Deploy security patches and other fixes to address issues early, before they can be exploited to cause harm
On a basic level, more stringent security measures should help prevent hackers from obtaining data from connected medical devices.
But in more extreme cases, the FDA is concerned that a malicious attack could potentially harm a patient. White-hat hackers have demonstrated vulnerabilities in various life-saving devices, such as infusion pumps, that could be exploited to hurt or even kill the user of a connected medical device.
As the so-called “Internet of Things” continues to expand and connect more devices to one another, medical devices become a potential target for hackers and data thieves. Personally owned and used devices could potentially offer particularly intimate details about a user’s conditions, making such a data breach possibly more invasive than information retained by others, like insurance providers.