In August, the Food and Drug Administration published a guidance recommending hospitals move away from using Hospira's Symbiq Infusion System, a computerized pump designed for continuous infusion therapy delivery, because the devices were shown to be vulnerable to hacking attacks that could put patient safety at risk. In light of increasing awareness around the lack of cybersecurity for medical devices in hospitals and the risks for patients using the devices and the hospital networks they're linked to, the FDA has issued a draft cybersecurity guidance for manufacturers that focuses on steps they can take to mitigate hacking risks.
- Applying the 2014 NIST voluntary Framework for Improving Critical Infrastructure Cybersecurity, which includes the core principles of "Identify, Protect, Detect, Respond and Recover;"
- Monitoring cybersecurity information sources for identification and detection of cybersecurity vulnerabilities and risk;
- Understanding, assessing and detecting presence and impact of a vulnerability;
- Establishing and communicating processes for vulnerability intake and handling;
- Clearly defining essential clinical performance to develop mitigations that protect, respond and recover from the cybersecurity risk;
- Adopting a coordinated vulnerability disclosure policy and practice; and
- Deploying mitigations that address cybersecurity risk early and prior to exploitation.
The draft guidance also requires manufacturers to notify the FDA when designing protections for cybersecurity vulnerabilities that present a reasonable probability of serious adverse health consequences or death. The guidance is open for public comment for 90 days.