Cybersecurity of smart medical devices, hospital networks is top priority for the FDA

Securing medical devices is a top priority after countless vulnerabilities have been detected in connected medical devices and hospital infrastructures. Not only are hospital networks exposed to remote hacker attacks and security breaches, but they also struggle with insider threats and major errors in healthcare equipment. The number of security incidents could be significantly reduced if cybersecurity regulations are enforced.

In an attempt to fix the problem, the US Food and Drug Administration (FDA) is pushing for stronger security in smart medical devices and demands they come with in-built software and firmware update features, according to the action plan released earlier this week.

It was only this week that pacemaker developer Abbott released another round of security updates, after critical bugs were detected in a number of pacemakers and monitoring systems.  The company’s latest firmware update affected some 350,000 implantable defibrillators.

Aware of the cybersecurity risks the healthcare industry has to deal with on a regular basis, the FDA is hoping to reduce threats and attacks especially when critical equipment, such as insulin pumps, cardiac monitors, glucometers or pacemakers, is at stake. The plan introduces guidelines for vulnerability disclosure and tips to fend off ransomware attacks that could even cause harm to patients’ wellbeing.

“Our aim is to make sure that the new advances in technology that are enabling better capabilities and benefits are also harnessed to bring added assurances of safety, so that more patients can benefit from new devices and address unmet needs,” FDA Commissioner Scott Gottlieb said.

In the report, the FDA also points out the importance of an analysis board called CyberMed Safety (Expert) Analysis Board (CYMSAB) that would be “a ‘go-team’ that could be deployed in the field to investigate a suspected or confirmed device compromise at a manufacturer’s or FDA’s request.”