2016 appears to have one more gift for us before calling it a year, and this time it involves both cybersecurity and the medical Internet of Things (IoT) devices — in a good way. The Food and Drug Administration (FDA), the federal agency charged with regulating food, drugs and medical devices, issued guidelines on how manufacturers can maintain security on medical IoT devices throughout a device’s lifetime. This means the FDA is arming manufacturers with the knowledge they need to deliver long-lasting and secure devices.
The guidelines are nonbinding and unenforceable, but they’re a welcome sign that federal agencies are interested in providing security standards for connected devices. This could, in theory, lead to enforceable regulation and provide a monetary incentive for device manufacturers to install and maintain better security on their devices. However, these guidelines have two immediate effects: they clarify what the FDA expects manufacturers to do when it comes to device security, and signal a shift towards consumer – or in this case, patient-centric – security for devices.
So, what does the FDA expect from medical IoT device manufacturers? First, it expects security maintenance for devices regardless of how long a device may have been out of the manufacturer’s hands. For example, if a device has been installed for more than five years, the FDA still expects the manufacturer to be able to monitor, update and maintain security software on that device. This suggests manufacturers will need to begin designing devices with security in mind at the beginning of the development cycle.
Second, the FDA expects manufacturers to detect, monitor and assess the risk of vulnerabilities in devices. As a result, manufacturers will need to employ a methodology for detecting and assessing risks. They’ll also have to work closer with cybersecurity professionals and researchers to head-off or fix any major vulnerabilities before they can affect patients .
Finally, the FDA expects manufacturers to have contingency plans in place in case a bug in a security or software update harms a patient. In this unlikely scenario, the manufacturer is required to alert the FDA of the malfunction.
Overall, these are welcome guidelines. IoT security poses a serious concern for consumers and businesses alike. It’s even more significant when people’s lives are quite literally on the line. Cyberattacks on hospitals aren’t unheard of, and cybersecurity researchers have shown how it’s possible to remotely disrupt life-saving devices like insulin pumps, pacemakers and more. There is, unfortunately, a lot more ground for manufacturers and the FDA to cover when it comes to medical IoT cybersecurity.
Still, the FDA has a history of being proactive in issuing cybersecurity guidelines. In late 2014, according to The Verge, the agency published guidelines on how to build security into medical devices and provided manufacturers with security industry standards. We should expect more in the near future.