New Rules for Avoiding Cyber Bugs in Medical Devices

The U.S. Government wants to protect pacemakers, insulin pumps and imaging systems

X-ray of the thorax with a pacemaker.

Lucien Monfils *Wikimedia*(CC BY-SA 1.0)

Join Our Community of Science Lovers!

The U.S. government on Tuesday issued rules for addressing cyber vulnerabilities in medical devices, providing manufacturers with guidelines for fixing security bugs in equipment, including pacemakers, insulin pumps and imaging systems.

"Cybersecurity threats are real, ever-present and continuously changing," Suzanne Schwartz, a senior Food and Drug Administration official who helped draft the new rules, said in a blog post. "And as hackers become more sophisticated, these cybersecurity risks will evolve."

The FDA released the 30-page guidance as the agency investigates claims from a short-selling firm and security researchers that heart devices from St. Jude Medical Inc are vulnerable to life-threatening hacks. The allegations, which surfaced in August, underscore the need for clear government rules on identifying and mitigating the impact of security vulnerabilities in medical equipment.

On supporting science journalism

If you're enjoying this article, consider supporting our award-winning journalism by subscribing. By purchasing a subscription you are helping to ensure the future of impactful stories about the discoveries and ideas shaping our world today.

The FDA has been grappling with such issues for several years in response to a surge in research on potentially life- threatening security bugs in medical devices from so-called "white hat" hackers looking to identify flaws before they are exploited to harm patients.

The agency in 2014 issued guidance on how manufacturers should address cyber security when developing new products, though the rules did not cover equipment that was already on the market.

In 2015 the FDA advised hospitals to halt use of one of Hospira Inc's infusion pumps, saying a security vulnerability could allow cyber attackers to take remote control of the system.

The new guidelines detail how manufacturers should identify and fix cyber vulnerabilities in products that are already on the market. The rules encourage medical device makers to establish programs to make it easy for security researchers to report new bugs.

"There is greater clarity for manufacturers, patients and hospitals," said Josh Corman, an expert on medical device security who is director of the Atlantic Council's Cyber Statecraft Initiative.

It’s Time to Stand Up for Science

If you enjoyed this article, I’d like to ask for your support. Scientific American has served as an advocate for science and industry for 180 years, and right now may be the most critical moment in that two-century history.

I’ve been a Scientific American subscriber since I was 12 years old, and it helped shape the way I look at the world. SciAm always educates and delights me, and inspires a sense of awe for our vast, beautiful universe. I hope it does that for you, too.

If you subscribe to Scientific American, you help ensure that our coverage is centered on meaningful research and discovery; that we have the resources to report on the decisions that threaten labs across the U.S.; and that we support both budding and working scientists at a time when the value of science itself too often goes unrecognized.

In return, you get essential news, captivating podcasts, brilliant infographics, can't-miss newsletters, must-watch videos, challenging games, and the science world's best writing and reporting. You can even gift someone a subscription.

There has never been a more important time for us to stand up and show why science matters. I hope you’ll support us in that mission.

Thank you,

David M. Ewalt, Editor in Chief, Scientific American