Skip to main content

New cybersecurity guidelines for medical devices tackle evolving threats

New cybersecurity guidelines for medical devices tackle evolving threats

/

The FDA outlined how medical device manufacturers should ward off cyberattacks, but didn’t include plans for enforcement

Share this story

Photograph by Daniel Stone for the National Cancer Institute (Wikimedia Commons CC0)

Today, the US Food and Drug Administration released its recommendations for how medical device manufacturers should maintain the security of internet-connected devices, even after they’ve entered hospitals, patient homes, or patient bodies. Unsecured devices can allow hackers to tamper with how much medication is delivered by the device — with potentially deadly results.

The recommendations are largely toothless

First issued in draft form last January, this guidance is more than a year in the making. The 30-page document encourages manufacturers to monitor their medical devices and associated software for bugs, and patch any problems that occur. But the recommendations are not legally enforceable — so they’re largely without teeth.

The FDA has been warning the health care industry for years that medical devices are vulnerable to cyberattacks. It’s a legitimate concern: researchers have managed to remotely tamper with devices like defibrillators, pacemakers, and insulin pumps. In 2015, FDA warned hospitals that the Hospira infusion pump, which slowly releases nutrients and medications into a patient’s body, could be accessed and controlled through the hospital’s network. That’s dangerous to patients who could be harmed directly by devices altered to deliver too much or too little medication. It also means poorly secured devices could give hackers access to hospital networks that store patient information — a situation that’s ripe for identity theft.

“In fact, hospital networks experience constant attempts of intrusion and attack, which can pose a threat to patient safety,” says Suzanne Schwartz, the FDA’s associate director for science and strategic partnerships, in a blog post about the new guidelines. “And as hackers become more sophisticated, these cybersecurity risks will evolve.”

“As hackers become more sophisticated, these cybersecurity risks will evolve.”

The FDA issued an earlier set of recommendations in October 2014, which recommended ways for manufacturers to build cybersecurity protections into medical devices as they’re being designed and developed. Today’s guidance focuses on how to maintain medical device cybersecurity after devices have left the factory. The guidelines lay out steps for recognizing and addressing ongoing vulnerabilities. And they recommend that manufacturers join together in an Information Sharing and Analysis Organization (ISAO) to share details about security risks and responses as they occur.

Most patches and updates intended to address security vulnerabilities will be considered routine enhancements, which means manufacturers don’t have to alert the FDA every time they issue one. That is, unless someone dies or is seriously harmed because of a bug — then the manufacturer needs to report it. Dangerous bugs identified before they harm or kill anyone won’t have to be reported to the FDA as long as the manufacturer tells customers and device users about the bug within 30 days, fixes it within 60 days, and shares information about the vulnerability with an ISAO.

This attempt to secure medical devices is just the beginning, says Eric Johnson, a cyber security researcher and dean of the Vanderbilt University business school, in an email to The Verge. The FDA’s Schwartz agrees, writing in a blog post: “This is clearly not the end of what FDA will do to address cybersecurity.”

Today’s Storystream

Feed refreshed 12 minutes ago Midjourneys

R
External Link
Russell Brandom12 minutes ago
Oracle will pay $23 million to settle foreign bribery charges.

The SEC alleges that Oracle used a slush fund to bribe officials in India, Turkey and the United Arab Emirates. This behavior is sadly common among software companies doing business overseas, and it’s not unique to Oracle. In March, a former Microsoft executive claimed the company spent as much as $200 million a year in bribes for foreign officials.


E
External Link
Emma RothTwo hours ago
Celsius’ CEO is out.

Alex Mashinsky, the head of the bankrupt crypto lending firm Celsius, announced his resignation today, but not after patting himself on the back for working “tirelessly to help the company.”

In Mashinsky’s eyes, I guess that means designing “Unbankrupt yourself” t-shirts on Cafepress and then selling them to a user base that just had their funds vaporized.

At least customers of the embattled Voyager Digital crypto firm are in slightly better shape, as the Sam Bankman-Fried-owned FTX just bought out the company’s assets.


M
Twitter
Mary Beth Griggs2:46 PM UTC
NASA’s SLS rocket is secure as Hurricane Ian barrels towards Florida.

The rocket — and the Orion spacecraft on top — are now back inside the massive Vehicle Assembly Building. Facing menacing forecasts, NASA decided to roll it away from the launchpad yesterday.


A
External Link
Andrew J. Hawkins1:30 PM UTC
Harley-Davidson’s electric motorcycle brand is about to go public via SPAC

LiveWire has completed its merger with a blank-check company and will make its debut on the New York Stock Exchange today. Harley-Davison CEO Jochen Zeitz called it “a proud and exciting milestone for LiveWire towards its ambition to become the most desirable electric motorcycle brand in the world.” Hopefully it also manages to avoid the cash crunch of other EV SPACs, like Canoo, Arrival, Faraday Future, and Lordstown.


A
The Verge
Andrew Webster1:06 PM UTC
“There’s an endless array of drama going on surrounding Twitch right now.”

That’s Ryan Morrison, CEO of Evolved Talent Agency, which represents some of the biggest streamers around. And he’s right — as you can read in this investigation from my colleague Ash Parrish, who looked into just what’s going on with Amazon’s livestreaming service.


R
The Verge
Richard Lawler12:59 PM UTC
Green light.

NASA’s spacecraft crashed, and everyone is very happy about it.

Otherwise, Mitchell Clark is kicking off the day with a deeper look at Dish Network’s definitely-real 5G wireless service , and Walmart’s metaverse vision in Roblox is not looking good at all.


J
External Link
Jess Weatherbed11:49 AM UTC
Won’t anyone think of the billionaires?

Forbes reports that rising inflation and falling stock prices have collectively cost members of the Forbes 400 US rich list $500 billion in 2022 with tech tycoons suffering the biggest losses.

Jeff Bezos (worth $151 billion) lost $50 billion, Google’s Larry Page and Sergey Brin (worth a collective $182b) lost almost $60b, Mark Zuckerberg (worth $57.7b) lost $76.8b, and Twitter co-founder Jack Dorsey (worth $4.5b) lost $10.4b. Former Microsoft CEO Steve Ballmer (worth $83b) lost $13.5b while his ex-boss Bill Gates (worth $106b) lost $28b, albeit $20b of that via charity donations.


T
Thomas Ricker6:45 AM UTC
Check out this delightful DART Easter egg.

Just Google for “NASA DART.” You’re welcome.