The Food and Drug Administration (FDA) recently issued new requirements mandating that medical devices be secured against cyberattacks. This move comes after a long-standing concern about the potential for these devices to be hacked and used to harm patients. This new requirement is a significant step towards securing medical devices, which have been increasingly more connected and vulnerable to cyberattacks. Medical devices such as insulin pumps, pacemakers, and other implantable devices can be hacked to cause significant harm to patients.
Connectivity Is a Double-Edged Sword
The ability to connect wirelessly to implanted medical devices makes them significantly easier to monitor and control. Unfortunately—as with every technology—if it makes life easier for you, it also makes it easier for attackers and exposes you to risk. A group of researchers led by Barnaby Jack demonstrated more than a decade ago that they could remotely control an insulin pump, causing it to deliver fatal doses of insulin. Using software and a special antenna, Barnaby could locate and hijack control of insulin pump devices within a 300-foot radius. This demonstration underscored the seriousness of the problem and the potential harm that can be caused.
Securing Medical Devices
Securing medical devices against cyberattacks is essential. These devices impact human lives. Any vulnerability in a medical device can have serious consequences for patients. For example, a hacker could potentially deliver a fatal dose from an insulin pump as described above, or change the settings on a pacemaker causing it to malfunction and harm the patient. This underscores the importance of ensuring that these devices are secure and free from vulnerabilities that could be exploited.
Of course being connected means that medical devices are more vulnerable to cyberattacks. In the past, medical devices were standalone devices that were not connected to any network. However, with the rise of the internet of things (IoT), medical devices are now connected to the internet or other networks. This makes them more vulnerable to cyberattacks. The trust of patients and consumers is also essential and requires that medical devices be protected against cyberattacks. Patients must have confidence that the medical devices they use are secure and free from vulnerabilities that could be exploited by attackers. Any vulnerability in a medical device can erode patient trust and lead to negative outcomes.
FDA Guidance
The FDA’s new requirement emphasizes the importance of AppSec in medical devices. This means that manufacturers must take steps to ensure that the software used in their devices is secure and free from vulnerabilities that could be exploited by attackers. This is an important step towards ensuring that medical devices are safe for patients to use.
The new requirements apply to medical devices that have software that is connected to the internet or other networks—including devices that have wireless connectivity, such as Bluetooth or Wi-Fi. Moving forward, medical device manufacturers must submit documentation that shows a software bill of materials (SBOM) and how they have implemented cybersecurity measures in their devices. The FDA will review this documentation and ensure that the devices meet the required standards.
AppSec Is Crucial
The FDA’s new requirements are a significant step towards securing medical devices against cyberattacks. They underscore the importance of AppSec in the development of medical devices and highlight the potential harm that can be caused by a cyberattack on a medical device. Manufacturers must now take steps to ensure that their devices are secure and free from vulnerabilities that could be exploited by attackers—which is essential for patient safety, trust, and confidence in the medical devices they use.
With any IoT device patching vulnerabilities can be a painstaking process, this becomes even more problematic with medical devices that are often implanted in a human being. This is why it is even more important to have a strong AppSec program that finds vulnerabilities in code before they are even released to market. An ounce of prevention is worth a pound of cure.
