The US Food and Drug Administration (FDA) has announced an effort to promote better cyber-security for medical devices.
While there is little or no evidence of devices being affected in the healthcare setting (the FDA reports not being aware of any examples within its jurisdiction), cyber-security researchers continue to identify security issues in medical devices.
The FDA’s response is to launch guidance (developed with the federally-funded R&D non-profit, the MITRE corporation) for manufacturers on best-practice for securing. The FDA has released two documents, the first considering design considerations of a medical device, and the second the deployment of the device in a healthcare setting.
Given the seriousness of the consequences of interference with a medical device, even a handful of cases with consequences would likely result in significant controversy. In addition to the direct human consequences, and political pressure, any cases of live devices being hacked risks a significant public loss of trust in medical devices. Such perception issues would almost certainly result in a fall in the uptake of important medical devices, with a consequential impact on public health.
As such, the FDA move to take pre-emptive action to mitigate the risk is a positive move, and it is possible that similar moves may be seen in Europe in the near future as regulators follow suit.