FDA to medical-device manufacturers: batten the hatches, the hackers are coming

The evils of the internet are seeping into the increasingly connected world of health care. On Thursday, the Food and Drug Administration called on medical device manufacturers to double down on security, referencing an increase in cyberattacks against medical devices and hospital network operations.

Over the years, the health-care system has built up its reliance on technology — from patient-monitoring devices to pacemakers to electronic health records — in efforts to improve patient care and boost efficiency. But the FDA said it’s become more aware of security shortcomings and incidents that could put hospital operations and patients at risk. For example, it said:

  • Medical devices are becoming infected with and disabled by malware.
  • Patient data, monitoring systems and implanted patient devices are being compromised by malware in smartphones and mobile devices.
  • Passwords for privileged device access aren’t being properly protected.
  • Older devices aren’t getting timely security updates and passwords.

“Over the last year, we’ve seen an uptick that has increased our concern,” William Maisel, deputy director of science and chief scientist at the FDA’s Center for Devices and Radiological Health, told The Washington Post. “The type and breadth of incidents has increased.” Previously, he told the Post that they heard about security issues once or twice a year; now, he said they hear about problems weekly or monthly.

The heightened FDA attention comes on the heels of mounting reports from government agencies and independent researchers about cybersecurity holes in health care.

In the draft guidelines released Thursday, the FDA encouraged medical device makers to review their policies and practices to make sure security protections are in place. For example: finding ways to limit unauthorized device access to trusted users only or implementing “fail-safe modes” that ensure a device’s critical functionality even when compromised. The agency said that later, it will issue final guidelines that could enable it to block the release of devices that don’t meet its standards.

As we’ve covered before, the FDA is expected to release final guidance on how it will regulate mobile health technology later this year, so presumably, these new recommendations will apply to a subset of mobile health apps as well.