The U.S. Food and Drug Administration (FDA) has, for the second time in two years, issued recommendations to improve the security of connected medical devices. Not mandates – recommendations.
Which immediately raises the question: Will anything that is non-binding put enough pressure on manufacturers to spend the time and money it will take to improve device security?
That, as is frequently said, remains to be seen.
The FDA issued what it called “guidance” on the “postmarket management of cybersecurity for medical devices,” at the end of last year.
This follows “premarket” guidance that the agency issued two years earlier.
And while there is no legal requirement to implement them, some experts say they will still have the power to force change, noting that just because they are not mandates doesn’t mean they can’t have significant legal impact. All it would take to confirm that is to talk with a lawyer about the implications of “best-practice” recommendations in a lawsuit over harm to a patient from a device that was hacked because of poor security.
But then, there is Bruce Schneier, CTO of Resilient Systems and a privacy and encryption expert, who wondered in a blog post shortly after the postmarket guidance was published what was the point.
Schneier, who has called for government regulation of the entire Internet of Things (IoT) industry, wrote of the guidelines that there was, “nothing particularly new or interesting; it reads like standard security advice: write secure software, patch bugs, and so on. Note that these are ‘non-binding recommendations,’ so I'm really not sure why they bothered.”
But that got some immediate blowback in his reader comment section. “Doug,” said he had been in the device industry for 30 years, and that while the law regulating medical devices would not change, “the interpretation and enforcement will.
“By knowing what the FDA is thinking, we can adapt our design, validation, and manufacturing efforts to meet these expectations. Guidance documents drive much of what we do,” he wrote.
The agency itself, in a statement to CSO, said the guidance, while nonbinding, is an interpretation of regulations, which are binding. It said the failure to follow the agency's Quality Systems Regulation (QSR) “adulterates” devices, and can result in their “seizure or injunction.”
Several experts agreed that the guidance is worthwhile, and should push manufacturers in the right direction. But none of them thinks that it is time, or will soon be time, for users of such devices to relax. Obviously the stakes are high – a hack of an implantable or other connected device can cause much more harm than the theft of data or identity. It could kill.
Sign up for CIO Asia eNewsletters.