The US is trying to fix medical devices’ big cybersecurity problem

Illustration by Alex Castro / The Verge

Congress and the FDA took steps this week to close the medical device weakness in health care cybersecurity, with the FDA issuing new draft guidelines for device makers on how to build devices that are less likely to be hacked.

There are devices that are connected to the internet that can be targets for hacks. Those attacks can put patients' safety at risk. Devices in use today have vulnerabilities that could be exploited.

The FDA has been trying to get a handle on this problem for a while. Guidance for medical device makers was put out in the summer of 2014, before the agency asked them to clear their products. The draft guideline was put out by the agency. Suzanne Schwartz, director of the Office of Strategic Partnerships and Technology Innovation at the FDA, told The Verge that the new draft is based on feedback from manufacturers and other experts and changes in the medical device environment over the past few years.

The new document is just a draft, and device makers won't start using it until it is finalized. There are a few changes from the last go-around, including an emphasis on the whole lifecycle of a device and a recommendation that manufacturers include a Software Bill of Materials with all new products. It is easier for users to keep tabs on their devices. If there is a bug or vulnerability in a piece of software, a hospital could easily check if their pumps use that software.

The FDA wants Congress to have more power to make requirements for medical device cybersecurity. She says that manufacturers should be able to patch or update software problems.

The FDA's efforts coincide with a proposed bill introduced in Congress this week, the PATCH Act, which would codify some of the FDA's proposals. The bill requires device manufacturers to have a plan to address any cybersecurity issues with their devices, and requires an SBIRM for new devices. The elements become requirements if the bill passes.

This would give us more authority in the area of cybersecurity, and it would tie that directly to the safety of medical devices.

New devices coming onto the market would only be covered by the new recommendations and legislation, not the millions of medical devices already in use in the United States. The FDA has guidelines that outline how device makers should keep an eye on potential cybersecurity issues in their existing devices. The FDA doesn't have any plans to update that guidance, but it is something the agency would consider.

The focus of the new draft guidelines and the FDA's push for legislation is to make sure new devices are in better shape than the ones that have been on the market and that have existing cybersecurity issues.