US agency cracks down on medical device IT security

An American regulatory agency believes medical device manufacturers have to get tougher with IT security on anything that touches the Internet or a wireless network.

The Food and Drug Administration (FDA) issued draft guidelines on Thursday for vulnerabilities that electronic health equipment manufacturers should be addressing about before submitting products for approval.

“The need for effective cybersecurity to assure medical device functionality has become more important with the increasing use of wireless, Internet- and network-connected devices, and the frequent electronic exchange of medical device-related health information,” the draft document explains.

Failure to maintain cybersecurity can result in compromised device functionality, loss of data availability or integrity, or exposure of other connected devices or networks to security threats, it notes. “These, in turn, have the potential to result in patient illness, injury, or death.”

According to the Washington Post, after hearing comments from industry and the public the guidelines will be finalized and the FDA will have the power to refuse to approve devices if manufacturers don’t provide adequate plans for protecting their devices.

While there has been guidance to makers of networked medical equipment makers on cybersecurity since at least 2005, the draft rules spell out more definitively what they have to do.

The general principle manufacturers should follow is the creation of a set of security controls that will maintain information confidentiality, integrity, and availability of medical devices. That means patient information in everything from heart monitors to x-ray machines can’t be altered and is only accessible to authorized persons.

A spokesperson for Health Canada said in an email that Canadians should only purchase medical devices that have been authorized by the department. “During the review of a medical device licence application, manufacturers must demonstrate their devices meet the requirements of safety and effectiveness, and included in this would be evidence of acceptable functioning of the software.” the statement said.

The FDA suggested that in their requests for approvals manufacturers should document how they have dealt with the risks of IT vulnerabilities and the likelihood of it being exploited.  

“The extent to which security controls are needed will depend on the medical device, its environment of use, the type and probability of the risks to which it is exposed, and the probable risks to patients from a security breach,” the FDA said.

Medical devices capable of connecting to another medical device, to the Internet or other network, or to portable media (for example a USB stick or Compact Disk) are more vulnerable to cybersecurity threats than devices that aren’t, the draft recommendations noted.

Manufacturers should also carefully consider the balance between cybersecurity safeguards and the usability of the device in its intended environment of use (for example use in the home vs. in a health  care facility) to ensure that the security capabilities are appropriate for the intended users.

For example, security controls should not hinder access to the device during an emergency, it said. Similarly, manufacturers should consider if security features will interfere with the ability of healthcare providers to administer necessary care.

Possible security controls include limiting access to devices through authentication like passwords or biometrics, timed session log-offs, layered privileges, physical locks and requiring controls before allowing software or firmware updates.

Read the whole story here

Would you recommend this article?


Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.

Jim Love, Chief Content Officer, IT World Canada

Featured Download

Howard Solomon
Howard Solomon
Currently a freelance writer, I'm the former editor of and Computing Canada. An IT journalist since 1997, I've written for several of ITWC's sister publications including and Computer Dealer News. Before that I was a staff reporter at the Calgary Herald and the Brampton (Ont.) Daily Times. I can be reached at hsolomon [@]

Featured Article

ADaPT connects employers with highly skilled young workers

Help wanted. That’s what many tech companies across Canada are saying, and research shows that as the demand for skilled workers...

Related Tech News

Tech Jobs

Our experienced team of journalists and bloggers bring you engaging in-depth interviews, videos and content targeted to IT professionals and line-of-business executives.

Tech Companies Hiring Right Now