The US Food and Drug Administration (FDA) has made a long overdue push to improve the security of medical devices, in new guidance issued on Friday.
The draft document sets out the steps device manufacturers should take to monitor, identify and secure any potential vulnerabilities that might emerge once a product has entered the market.
It also promotes the principal of information sharing by joining an Information Sharing Analysis Organization (ISAO).
As part of a comprehensive cybersecurity risk management program, the FDA recommends applying the 2014 NIST voluntary Framework for Improving Critical Infrastructure Cybersecurity.
It said device makers need to better monitor information sources to help identify risk; be able to assess and detect vulnerabilities; develop mitigations to any threats; and adopt a co-ordinated vulnerability disclosure policy.
The FDA also said it needed to be informed by any manufacturer of any “small subset” of serious vulnerabilities which “may compromise the essential clinical performance of a device and present a reasonable probability of serious adverse health consequences or death.”
“The FDA is encouraging medical device manufacturers to take a proactive approach to cybersecurity management of their medical devices,” said Suzanne Schwartz, FDA associate director for science and strategic partnerships.
“Only when we work collaboratively and openly in a trusted environment, will we be able to best protect patient safety and stay ahead of cybersecurity threats.”
The government agency is asking for public comments on the document, which will be accepted for the next 90 days.
It said it has been working to improve info sharing and “collaboratively develop and implement risk-based standards” since 2013. However, reports have shown the healthcare sector to be among the most vulnerable to cyber-attack.
Aside from the major breaches at Anthem and Premera Blue Cross where tens of millions of highly sensitive records were stolen, the Identity Theft Resource Center claimed 67% of all records reported stolen last year in the US came from this sector.
That amounts to over 112 million – way more than government (34m), business (16m) or banking (5m).