US publishes guide to hardening your arteries, security-wise, that is
Food and Drug Admin wants medical device-makers to get better at infosec
The US Food and Drug Administration has issued draft guidance requiring medical device manufacturers to up their security game and report major incidents to the agency.
Organisations building pacemakers, defibrillators, insulin pumps, and other hackable medical systems will need to be able to identify; protect; detect; respond, and recover, under the draft.
The mega agency is directing vendors to apply the lessons found in the Framework for Improving Critical Infrastructure Cybersecurity [PDF] issued by the National Institute of Standards and Technology.
The agency's move comes on the back of a string of hacking incidents affecting life-critical medical devices that have caused various threats to life including remotely shutting off pacemakers and modifying insulin pumps.
Agency device and radiological health executive Suzanne Schwartz says it is essential that manufacturers improve security build and maintenance of devices.
"All medical devices that use software and are connected to hospital and health care organisations’ networks have vulnerabilities - some we can proactively protect against, while others require vigilant monitoring and timely remediation,” Schwartz says.
"Today’s draft guidance will build on the FDA’s existing efforts to safeguard patients from cyber threats by recommending medical device manufacturers continue to monitor and address cybersecurity issues while their product is on the market.”
Manufacturer security programs should also include:
- Monitoring security information sources for identification and detection of security vulnerabilities and risk;
- Understanding, assessing and detecting presence and impact of a vulnerability;
- Establishing and communicating processes for vulnerability intake and handling;
- Clearly defining essential clinical performance to develop mitigations that protect, respond and recover from the security risk;
- Adopting a coordinated vulnerability disclosure policy and practice and,
- Deploying mitigations that address security risk early and prior to exploitation.