Dec 27 The U.S. government on Tuesday issued
rules for addressing cyber vulnerabilities in medical devices,
providing manufacturers with guidelines for fixing security bugs
in equipment, including pacemakers, insulin pumps and imaging
systems.
"Cybersecurity threats are real, ever-present and
continuously changing," Suzanne Schwartz, a senior Food and Drug
Administration official who helped draft the new rules, said in
a blog post. "And as hackers become more sophisticated, these
cybersecurity risks will evolve."
The FDA released the 30-page guidance as the agency
investigates claims from a short-selling firm and security
researchers that heart devices from St. Jude Medical Inc
are vulnerable to life-threatening hacks. The allegations, which
surfaced in August, underscore the need for clear government
rules on identifying and mitigating the impact of security
vulnerabilities in medical equipment.
The FDA has been grappling with such issues for several
years in response to a surge in research on potentially life-
threatening security bugs in medical devices from so-called
"white hat" hackers looking to identify flaws before they are
exploited to harm patients.
The agency in 2014 issued guidance on how manufacturers
should address cyber security when developing new products,
though the rules did not cover equipment that was already on the
market.
In 2015 the FDA advised hospitals to halt use of one of
Hospira Inc's infusion pumps, saying a security vulnerability
could allow cyber attackers to take remote control of the
system.
The new guidelines detail how manufacturers should identify
and fix cyber vulnerabilities in products that are already on
the market. The rules encourage medical device makers to
establish programs to make it easy for security researchers to
report new bugs.
"There is greater clarity for manufacturers, patients and
hospitals," said Josh Corman, an expert on medical device
security who is director of the Atlantic Council's Cyber
Statecraft Initiative.
(Reporting by Jim Finkle in Boston; Editing by Dan Grebler)