The FDA wants medical device makers to lock down security

As wearable technology starts to go beyond fitness tracking and add features that blur the lines between gadgets and officially licensed medical devices, the Food and Drug Administration is recommending that device makers make sure they store that data securely.

The guidance document, “Content of Premarket Submissions for Management of Cybersecurity in Medical Devices,” is set to officially publish on Thursday, but you can preview a pre-publication PDF now. The FDA is primarily concerned with what it calls “cybersecurity” in mobile devices, and its guidance only covers products that are submitted to the FDA for review — so not the Apple Watch, at least not yet, but devices like connected glucometers instead, for instance. Although the new recommendations are non-binding, you can expect them to be widely adopted as best practices.

Basically, the FDA is recommending that medical gadget makers consider security at the beginning of the design process — assessing and identifying valuable data as well as device vulnerabilities — and is asking them to include justifications for security decisions in premarket submissions. The FDA would also like to see a roadmap outlining signed and verified software updates for the lifetime of the medical device, and says that patches made for security purposes likely won’t need another FDA review.


The Nova StatStrip Glucose meter, which transfers data over Wi-Fi, is an example of a device that new guidelines are intended for.

There are a number lot of unsurprising recommendations, like limiting data access to only authenticated, trusted users, whether that is through a password or a biometric measure. Privileges should be differentiated by the user’s role — so a doctor would have different authorization than an office worker or system admin. The FDA would like to see specific tools to track down the source of a security breach. One of the most obvious guidelines is that medical gadgets should not have “hardcoded” passwords that are the same across devices.

As of now, the guidelines are targeted at networked medical devices, not consumer devices with medical functions. But anyone making a wearable device with, say, a heart rate monitor, needs to read and understand them. It’s not crazy to imagine that future smartwatches might need FDA approval — Apple was concerned that its watch might attract FDA attention, and even set up a meeting with FDA officials to confirm that it would not require pre-approval. Keep in mind that the smartwatches currently on the market are in very early stages, and it’s logical to think a future version of HealthKit or Google Health could be improved by sending health data directly to your doctor, which is exactly the kind of feature that will attract FDA regulation.

The Federal Trade Commission is currently exploring similar security regulations geared towards the internet of things. The FTC, like the FDA, faces the challenge of producing regulations for a rapidly emerging and expanding industry where nobody quite knows where exactly it’s ultimately heading. But with both connected medical devices as well as the internet of things, the potential consequences of mismanaging sensitive data is so high that it compels the federal government to get involved.

The specter of government regulation might scare entrepreneurs who subscribe to the theory of “permissionless innovation,” but for something as important and sensitive as medical data, it’s welcome. After all, rapid improvements have provided wildly powerful smartphones with amazing cameras, but also led to lapses in security that caused the infamous iCloud hacks. The difference is that nude pictures are an embarrassing and infuriating breach, but a hacked pacemaker could be fatal.