Skip to main content

The US is trying to fix medical devices’ big cybersecurity problem

The US is trying to fix medical devices’ big cybersecurity problem


The FDA and Congress both just put out new proposals

Share this story

Illustration by Alex Castro / The Verge

Medical devices are one major weak point in health care cybersecurity, and both Congress and the Food and Drug Administration took steps towards closing that gap this week —Congress with a proposed bill and the FDA with new draft guidelines for device makers on how they should build devices that are less likely to be hacked.

Devices like infusion pumps or imaging machines that are connected to the internet can be targets for hacks. Those attacks can siphon off patient data or put their safety directly at risk. Experts consistently find that devices in use today have vulnerabilities that could be exploited by hackers.

The FDA, which regulates medical devices, has been trying to get a handle on this problem for a while. Back in 2014, it put out guidance for medical device makers that outlined how they should incorporate cybersecurity before they asked the agency to clear their products. The agency then put out a draft guideline in 2018. This new draft replaces the 2018 version and is based on feedback from manufacturers and other experts and changes in the medical device environment over the past few years, Suzanne Schwartz, director of the Office of Strategic Partnerships and Technology Innovation at the FDA, told The Verge.

The new document is still just a draft, and device makers won’t start using it until it’s finalized after another round of feedback. But it includes a few significant changes from the last go-around — including an emphasis on the whole lifecycle of a device and a recommendation that manufacturers include a Software Bill of Materials (SBOM) with all new products that gives users information on the various elements that make up a device. An SBOM makes it easier for users to keep tabs on their devices. If there’s a bug or vulnerability found in a bit of software, for example, a hospital could easily check if their infusion pumps use that specific software.

The FDA also put out legislative proposals around medical device cybersecurity, asking asking Congress for more explicit power to make requirements. “The intent is to enable devices to be that much more resilient to withstand the potential for cyber exploits or intrusion,” Schwartz says. Manufacturers should be able to update or patch software problems without hurting the devices’ function, she says.

The FDA’s efforts dovetail with a proposed bill introduced in Congress this week, the Protecting and Transforming Cyber Health Care (PATCH) Act, which would codify some of the FDA’s proposals. The bill would require device manufacturers to have a plan to address any cybersecurity issues with their devices, and require an SBOM for new devices. If the bill passes, then those elements become requirements rather than just recommended guidelines from the FDA.

“This would give us extra teeth”

“This would give us extra teeth,” Schwartz says. “This really, for the first time, would establish, very explicitly, authority in the area of cybersecurity and tie that directly to the safety of medical devices.”

Notably, these new recommendations and the legislation would primarily apply to new devices coming onto the market — they don’t cover the millions of medical devices already in use in the United States. The FDA has guidelines, written in 2016, that outline how device makers should keep tabs on potential cybersecurity issues in their existing devices already on the market. Schwartz says that the FDA doesn’t have active plans to update that guidance, but it’s something the agency would consider.

The focus of the new draft guidelines and the FDA’s push for legislation around device cybersecurity is to make sure new devices coming online are in better shape than the ones that have been on the market and that have existing cybersecurity issues. “We want the devices of tomorrow not to have the same legacy issues that we’re dealing with today,” she says.

Today’s Storystream

Feed refreshed Sep 24 Striking out

External Link
Emma RothSep 24
California Governor Gavin Newsom vetoes the state’s “BitLicense” law.

The bill, called the Digital Financial Assets Law, would establish a regulatory framework for companies that transact with cryptocurrency in the state, similar to New York’s BitLicense system. In a statement, Newsom says it’s “premature to lock a licensing structure” and that implementing such a program is a “costly undertaking:”

A more flexible approach is needed to ensure regulatory oversight can keep up with rapidly evolving technology and use cases, and is tailored with the proper tools to address trends and mitigate consumer harm.

Andrew WebsterSep 24
Look at this Thing.

At its Tudum event today, Netflix showed off a new clip from the Tim Burton series Wednesday, which focused on a very important character: the sentient hand known as Thing. The full series starts streaming on November 23rd.

The Verge
Andrew WebsterSep 24
Get ready for some Netflix news.

At 1PM ET today Netflix is streaming its second annual Tudum event, where you can expect to hear news about and see trailers from its biggest franchises, including The Witcher and Bridgerton. I’ll be covering the event live alongside my colleague Charles Pulliam-Moore, and you can also watch along at the link below. There will be lots of expected names during the stream, but I have my fingers crossed for a new season of Hemlock Grove.

Andrew WebsterSep 24
Looking for something to do this weekend?

Why not hang out on the couch playing video games and watching TV. It’s a good time for it, with intriguing recent releases like Return to Monkey Island, Session: Skate Sim, and the Star Wars spinoff Andor. Or you could check out some of the new anime on Netflix, including Thermae Romae Novae (pictured below), which is my personal favorite time-traveling story about bathing.

A screenshot from the Netflix anime Thermae Romae Novae.
Thermae Romae Novae.
Image: Netflix
Jay PetersSep 23
Twitch’s creators SVP is leaving the company.

Constance Knight, Twitch’s senior vice president of global creators, is leaving for a new opportunity, according to Bloomberg’s Cecilia D’Anastasio. Knight shared her departure with staff on the same day Twitch announced impending cuts to how much its biggest streamers will earn from subscriptions.

Tom WarrenSep 23
Has the Windows 11 2022 Update made your gaming PC stutter?

Nvidia GPU owners have been complaining of stuttering and poor frame rates with the latest Windows 11 update, but thankfully there’s a fix. Nvidia has identified an issue with its GeForce Experience overlay and the Windows 11 2022 Update (22H2). A fix is available in beta from Nvidia’s website.

External Link
If you’re using crash detection on the iPhone 14, invest in a really good phone mount.

Motorcycle owner Douglas Sonders has a cautionary tale in Jalopnik today about the iPhone 14’s new crash detection feature. He was riding his LiveWire One motorcycle down the West Side Highway at about 60 mph when he hit a bump, causing his iPhone 14 Pro Max to fly off its handlebar mount. Soon after, his girlfriend and parents received text messages that he had been in a horrible accident, causing several hours of panic. The phone even called the police, all because it fell off the handlebars. All thanks to crash detection.

Riding a motorcycle is very dangerous, and the last thing anyone needs is to think their loved one was in a horrible crash when they weren’t. This is obviously an edge case, but it makes me wonder what other sort of false positives we see as more phones adopt this technology.

External Link
Ford is running out of its own Blue Oval badges.

Running out of semiconductors is one thing, but running out of your own iconic nameplates is just downright brutal. The Wall Street Journal reports badge and nameplate shortages are impacting the automaker's popular F-series pickup lineup, delaying deliveries and causing general chaos.

Some executives are even proposing a 3D printing workaround, but they didn’t feel like the substitutes would clear the bar. All in all, it's been a dreadful summer of supply chain setbacks for Ford, leading the company to reorganize its org chart to bring some sort of relief.