Cyber attacks became a common occurrence in 2016 and likely aren’t going anywhere in 2017. In hopes of improving preparedness for those inevitable attacks, the United States Food and Drug Administration has laid out recommendations to medical device manufacturers on how to secure internet-connected devices.

The 30-page document—which is not legally enforceable and acts simply as a suggestion—encourages device makers to maintain medical devices long after their release to patch bugs and vulnerabilities that arise over time.

“Protecting medical devices from ever-shifting cybersecurity threats requires an all-out, lifecycle approach that begins with early product development and extends throughout the product’s lifespan,” Suzanne Schwartz, the associate director for science and strategic partnerships at the FDA, said in a blog post.

Schwartz reasoned that manufacturers should be building cybersecurity controls from the moment they begin designing and developing a device and should “continuously monitor and address cybersecurity concerns once the device is on the market and being used by patients.”

The FDA recommended through the guidelines that manufacturers join an Information Sharing and Analysis Organization (ISAO) to share details about security risks and attacks when they happen.

It also gave clarification that manufacturers aren’t required to inform the FDA every time they issue a patch or update intended to address a security vulnerability, as those patches are considered a routine enhancement. Only if a bug leads to serious harm or death does the issue need to be identified.

The FDA recommends potentially dangerous issues that have not yet caused harm be reported to device users within 30 days, fixed within 60 days, and the information about the bug shared through an ISAO so others can address it if necessary.

The guidance published on Wednesday has been in the works since January and builds on an earlier framework for cybersecurity first set by the FDA in October 2014. It also follows a year in which hospitals and medical devices were proven to be vulnerable to cyber attacks that would leave patients and caretakers at risk.

Security researchers have successfully managed to remotely control valuable medical devices including defibrillators, pacemakers and insulin pumps—a problem the FDA warned about when it learned an infusion pump that releases nutrients into a patient’s body could be controlled via a hospital’s network.

Perhaps the most concerning example of security vulnerability was on display in 2016 when the Hollywood Presbyterian Medical Center in California fell victim to a ransomware attack that held patients and medical records hostage until a $3.4 million ransom was paid.

“This is clearly not the end of what FDA will do to address cybersecurity,” Schwartz wrote. “We’ve made great strides but we know that cybersecurity threats are capable of evolving at the same pace as innovation, and therefore, more work must be done.”

RELATED STORIES
Cybercrime