The US Food and Drug Administration has released a set of guidelines for medical device manufacturers, stating how post-market products can be protected from cybersecurity threats.
The 30-page document comes from a legitimate concern for medical devices that are already FDA approved, and the potential of them being hacked. The document recommends that medical manufacturers should monitor, identify, and address cybersecurity vulnerabilities and exploits as part of their post-market management of medical devices.
The FDA has continuously cautioned the healthcare industry about the possibility of cyberattacks against medical devices. In 2014 it released a similar set of recommendations in which manufacturers could build cybersecurity defenses into their devices. However, the latest report recommends how manufacturers can maintain medical device security after FDA approval.
This can be done through updates and patches, which will be delivered in an attempt to address cybersecurity concerns. To reduce the stress for manufacturers, companies will not have to notify the FDA every time an update or patch is installed. If however someone dies or is seriously harmed because of a bug, then the manufacturer has to report it to the FDA.
If dangerous bugs are identified before any injury is done to the patient, then manufacturers don’t have to report the issue to the FDA, as long as the manufacturer tells customers and users about the bug within 30 days and fixes the issue within 60 days. The company will also have to share information about the vulnerability with an Information Sharing and Analysis Organisation (ISAO).