Today, the US Food and Drug Administration released its recommendations for how medical device manufacturers should maintain the security of internet-connected devices, even after they’ve entered hospitals, patient homes, or patient bodies. Unsecured devices can allow hackers to tamper with how much medication is delivered by the device — with potentially deadly results.
The recommendations are largely toothless
First issued in draft form last January, this guidance is more than a year in the making. The 30-page document encourages manufacturers to monitor their medical devices and associated software for bugs, and patch any problems that occur. But the recommendations are not legally enforceable — so they’re largely without teeth.
The FDA has been warning the healthcare industry for years that medical devices are vulnerable to cyberattacks. It’s a legitimate concern: researchers have managed to remotely tamper with devices like defibrillators, pacemakers, and insulin pumps. In 2015, FDA warned hospitals that the Hospira infusion pump, which slowly releases nutrients and medications into a patient’s body, could be accessed and controlled through the hospital’s network. That’s dangerous to patients who could be harmed directly by devices altered to deliver too much or too little medication. It also means poorly-secured devices could give hackers access to hospital networks that store patient information — a situation that’s ripe for identity theft.
“In fact, hospital networks experience constant attempts of intrusion and attack, which can pose a threat to patient safety,” says Suzanne Schwartz, the FDA’s associate director for science and strategic partnerships, in a blog post about the new guidelines. “And as hackers become more sophisticated, these cybersecurity risks will evolve.”