The Food and Drug Administration is ramping up requirements on medical device manufacturers to prove they have adequate cybersecurity protections. A growing number of medical devices are connected to hospital networks and the Internet or other devices, which makes them vulnerable to viruses or cyberattacks and the FDA has recorded an increase in incidence of device attacks over the past few years.
A 2012 federal auditor’s report commented on flaws in implantable defibrillators and insulin pumps and urged the agency to review device security requirements. The report prompted the FDA to begin developing regulatory guidance and the agency issued a 2013 safety alert on medical device communications security.
Today, FDA released final regulatory guidance to device manufactures on device functionality and safety when they connect to networks. The agency invites public comments on the recommendations to manufacturers when they seek to gain FDA approval of a medical device.