Manufacturers have to present patch and update plans

Oct 2, 2014 05:57 GMT  ·  By

The US Food and Drug Administration (FDA) drafted some recommendations for medical device manufacturers regarding cyber-security risk, which were finalized on Wednesday.

The guiding document, titled Content of Premarket Submissions for Management of Cybersecurity in Medical Devices, has been scheduled for publishing on Thursday, October 2.

It discloses cyber-security risks manufacturers should take into consideration when developing a medical product, in order to preserve the confidentiality of the information, integrity and availability.

The FDA’s recommendation is for manufacturers to submit documentation about their product to the Administration, identifying the risks and the measures taken to mitigate them. Also, they should present a plan for releasing patches and updates for the operating systems running on medical equipment.

“There is no such thing as a threat-proof medical device,” said Suzanne Schwartz, M.D., MBA, director of emergency preparedness/operations and medical countermeasures at the FDA’s Center for Devices and Radiological Health. “It is important for medical device manufacturers to remain vigilant about cybersecurity and to appropriately protect patients from those risks,” she added.

Since device interconnectivity is growing at a rapid pace, cyber security is something that should be of particular interest in the medical field.

The FDA interest in cyber-defense refers to malware infections on networked devices, lax password policy, inability to offer the necessary software updates in due time as well as vulnerabilities in regular software designed to protect against unauthorized access to a device or network.

This measure does not stem from knowledge of attacks or compromised targets, but out of precaution and desire to prevent such unwanted events.

Tom Cross, research director at Lancope, said via email that medical devices are indeed susceptible to cyber-attacks since oftentimes they are not built with ulterior patching in mind.

“Hopefully these new FDA regulations will force the healthcare industry to focus on the issue and that will have a positive impact on the way that these devices are designed going forward. Computer malware can pose significant risks to patient safety, as well as the privacy of medical information.

“When major vulnerabilities like Shellshock and Heartbleed get disclosed, healthcare providers need a path to upgrade any vulnerable network connected devices that they have, so that those devices aren't exposed to attacks,” he added.

Cross points to the latest string of breaches affecting retailers across the US that proved cybercriminals to be adept at attacking and gaining access to networked devices, given a strong enough motivation.