Because lives can depend on medical personnel having access to critical devices and information, cybersecurity is more challenging in a healthcare environment. While medical records need to be safeguarded from improper access, a doctor—who may not have been previously authorized—may need immediate access to a patient’s medical file. For medical devices, the situation is simpler, but a variety of personnel may need access to the device, making traditional access control a difficult prospect.
The FDA recognized the challenges.
“Security controls should not unreasonably hinder access to a device intended to be used during an emergency situation,” the agency stated in its guidance, adding a recommendation “that medical device manufacturers provide justification in the premarket submission for the security functions chosen for their medical devices.”
While the guidelines show that the medical device industry is cognizant of the problems that cybersecurity poses to medical devices, they need to do more, Paul Paget, CEO of offensive-hacking firm Pwnie Express, said in a statement to Ars.
“The nine-page document will not stem the tide of insecure medical devices and networks, many of which are vulnerable to cyber attack,” he said. “Organizations consistently need to check to ensure that their medical devices and networks are secure.”