With all the current concern over IoT being insecure from cyberattacks, the U.S. Food & Drug Administration (FDA) has posted the agency's final guidance for medical device safety.
In a nutshell, device manufacturers need to take into account security considerations through a product's entire lifecycle, starting with its development to ensure proper performance and functionality if a hospital's network is hacked.
The FDA's final guidance is available in a 30-page white paper. When planning their products, medical device manufacturers should place emphasis on the following considerations:
- Have a way to monitor and detect cybersecurity vulnerabilities in their devices
- Understand, assess and detect the level of risk a vulnerability poses to patient safety
- Establish a process for working with cybersecurity researchers and other stakeholders to receive information about potential vulnerabilities (known as a “coordinated vulnerability disclosure policy”)
- Deploy mitigations (e.g., software patches) to address cybersecurity issues early, before they can be exploited and cause harm
The FDA advised that device manufacturers work other parties along the ecosystem, such as the National Institute of Standards and Technology (NIST), which in 2014 outlined core principles
for improving critical infrastructure cybersecurity.