FDA Offers Final Guidance For Medical Device Cybersecurity

Mike Miliard | Government Health IT | October 2, 2014

The U.S. Food and Drug Administration posted newly-minted recommendations for protecting medical devices from attackers.  Aimed at manufacturers, the guidance suggests device makers take serious stock of cybersecurity risk early in the design and development process — and show documentation to the FDA about the dangers they identify and the steps they're taking to mitigate them.  The FDA also expects that manufacturers submit plans for providing patches and updates to operating systems and software as new risks crop up.

Shellshock, a bug that was discovered this past week and was quickly realized to be among "the worst of all time," poses dangers to unpatched medical devices.  As one security analyst told The Washington Post, a targeted exploitation of the flaw "could allow a hacker to remotely own" technology from cellphones to medical devices.  This particular risk is fixable. The problem is that medical devices and other embedded systems depend on the vendor to make those protective patches downloadable to end users.

Many organizations "have already pushed out patches — but some appear to be stopgap fixes that do not completely resolve the problem," according to the Post.  In the meantime, the device is left unsecured — and the next big threat or vulnerability, perhaps even the successor to Heartbleed and Shellshock, lies undiscovered in some tangled mess of obscure code.  The FDA now expects medical manufacturers to consider such potential risks while designing devices, and to have a plan to redress them with system and software updates...