Skip to content
Stethoscope. Image courtesy of Shutterstock.
Naked Security Naked Security

FDA releases draft guidelines to improve cybersecurity in medical devices

Hacking medical devices is a scary prospect - think pacemaker - so it's good to see the FDA weighing in on the problem.

There’s no doubt that the global Internet of Things (IoT) healthcare market is growing.

Sadly, the IoT is a bit of a cybersecurity nightmare; many smart things aren’t secured properly, leaving sensitive data, and sometimes people’s health, at risk.

Cybersecurity in medical devices has been of concern for some years now – last year a security hole was found in some drug pumps which could have allowed a fatal dose to be administered, and back in 2013, the wireless capabilities of Dicky Cheney’s pacemaker were disabled to thwart hacking attempts (read assassination attempts).

The US Food and Drug Administration (FDA) is well aware of the cybersecurity risks in medical devices and for a while has been asking makers to see medical device security as a serious concern.

Now, it has issued draft guidelines to give device makers a clearer picture of the steps that need to be followed to ensure the safety of their devices.

In a statement, the agency said:

Cybersecurity threats to medical devices are a growing concern. The exploitation of cybersecurity vulnerabilities presents a potential risk to the safety and effectiveness of medical devices. While manufacturers can incorporate controls in the design of a product to help prevent these risks, it is essential that manufacturers also consider improvements during maintenance of devices, as the evolving nature of cyber threats means risks may arise throughout a device’s entire lifecycle.

Some of the key elements of this draft guidance include:

  • Apply the 2014 NIST voluntary framework for improving critical infrastructure cybersecurity.
  • Define essential clinical performance to develop solutions that offer protection from cybersecurity risks and also help respond to and recover from them.
  • Keep on top of sources that help identify and detect cybersecurity vulnerabilities.
  • Understand and assess the implications of a vulnerability.
  • Create and follow a seamless vulnerability management process.
  • Put in place and practice a well-coordinated vulnerability disclosure policy.
  • Cybersecurity risk mitigations must be deployed early and prior to exploitation.

The document is in its draft stages, and a work in progress. We’re glad to see it.

Image of stethoscope courtesy of Shutterstock.


Why on earth is almost every networking application designed for using that same single standatd internet all the time? It may be convenient to use the same infrastructure for everything, but there are quite a lot of applications where hackability can be threatening for life and well being of people. We know from experience that there is no code for cybersecurity without the risk of getting broken. So if we take the safety and health of people serious, there is no alternative for building perfectly seperate networks for those applications. This will be costly and it will be much less convenient or “fun”, not being able any more to control everything remotely all the time. But we should stop fooling ourselves, face reality and stop behaving as if worldwide connectivity is the only way things can get done.


While you are right, this would be impractical in real life. The problem is that the devices need to work no matter where the patient is at the time. This means the Internet is the only vehicle that fills the requirements.


Leave a Reply

Your email address will not be published. Required fields are marked *

Subscribe to get the latest updates in your inbox.
Which categories are you interested in?
You’re now subscribed!