The FDA and cybersecurity

This week we have a guest blog post from Pwnie Express Marketing Analyst, Sara Kantor.

Although it’s easy to think of cybersecurity as the realm of financial data and credit cards, one of the most susceptible areas of recent technological progress is medicine. The FDA (Food and Drug Administration) recently released a nine-page document on the ‘Content of Premarket Submissions for Management of Cybersecurity in Medical Devices’, an update to their previous guidelines released in June 2013. The document covers certain cybersecurity guidelines and best practices, most importantly stating that medical device manufacturers ‘should address cybersecurity during the design and development of the medical device’.

The FDA is a notoriously slow-moving organization, and rightly so: their carefulness ensures the health and safety of hundreds of millions of consumers who rely upon strict testing and sales guidelines. The necessity of cybersecurity guidelines in the industry has been apparent for years, yet the FDA only released its first public statement on the subject in 2013.

Even the newest guidelines may not be enough – the biggest issue is that the guidance, in its own words, does ‘not establish legally enforceable responsibilities’. Instead, it describes the Agency’s current thinking on the topic and should be viewed only as a set of recommendations, unless specific regulatory or statutory requirements are cited.

The FDA’s loose definitions and strictures give flexibility to the makers of medical devices, however, which is important to the effective security of a wide range of devices that may require vastly different measures. In this light, the guidelines provide a useful resource to medical companies lacking the knowledge and expertise to appropriately secure their devices. Even more importantly, the guidelines can be viewed as the ‘push’ that many cybersecurity professionals need in order to convince their management to invest the necessary resources – particularly money and time – in more efficient security measures.

Unfortunately, these benefits are only a start: even if the FDA does not want to mandate certain guidelines, why not require the premarket submission to ensure that companies understand their network security? How is it that personally identifiable information (PII) has its own set of regulatory standards, when machines that can determine life or death are merely given guidelines?

Views and opinions expressed are that of the author and may not represent IT Governance.

Pwnie Express are the manufacturers of the industry’s best penetration testing tools. One of their signature products, the Pwn Pad 2014, is available to purchase on the IT Governance UK site. Click the banner below to find out more.