Food and Drug Administration Issues Medical Device Cybersecurity Guidelines To Protect Patients From Deadly Hacks
At HotHardware, we unfortunately have to frequently write about security and privacy breaches, and those breaches can seriously affect their victims. But while a cyberattack on a bank might make for a bad day, nothing could compare to a cyberattack on equipment that helps keep their owners alive. If you have a family member using a pacemaker, for example, you want to be confident in its ability to thwart potential attacks.
The Food and Drug Administration wholeheartedly agrees, and it proves it through in-depth guidelines for makers of life-saving devices. The FDA doesn't sugar-coat the importance, stating, "Failure to maintain cybersecurity can result in compromised device functionality, loss of data (medical or personal) availability or integrity, or exposure of other connected devices or networks to security threats. This in turn may have the potential to result in patient illness, injury or death."
The FDA recommends that device makers adopt the NIST Framework to ensure that the best practices are in place when handling security before and after a product's release. The agency is clear that security isn't something that can be focused on just before a product's release; it needs to have the same level of care after its release - and for good reason, since that's when the worst bugs could rear their heads.
After an important health product hits the market, the FDA suggests that comprehensive risk management be undertaken. It explicitly lists various outcomes that should never happen: denial of service, modification, outside access to internal information, and unauthorized access.
It's clear that with even our simple appliances and devices becoming digital, our lives can be enriched. But when those products that keep people alive also become digital, it can open up a huge can of worms. Much like with automakers developing self-driving cars, security on medical devices needs to be treated with the utmost scrutiny. We really don't want to have to write a post about how some medical vendor didn't do their due diligence.