The U.S. Food and Drug Authority has released a set of guidelines for keeping medical devices secure from jeopardy and to ensure safety and privacy of the users. The "Postmarket Management of Cybersecurity in Medical Devices" report discusses the importance of device security and reiterating that cyber security is a continuous effort of maintenance and periodical software updates.

Notably, the steps contained in the report are identified as "nonbinding recommendations," implying that the recommendation is just advisory, the maintenance of the devices is still up to the user.

 Dr. Suzanne Schwartz, Associate Director for Science and Strategic Partnerships at the FDA's Center for Devices and Radiologic Health, has noted in a supporting blog post that the industry is at a huge risk. She said that most of the medical devices used currently are either connected to a hospital network or users' home network. Technological advances in patient care are significant and the risk in cyber security is also growing. Security breaches can affect a device's functionality and performance.

The blog also said that manufacturers should also take into account cybersecurity when designing and developing devices to assure device performance against threats. Continuous monitoring and prevention of cyber security concerns is a must once the device is sold in the market and is already in use.

Compared to non-medical devices that periodically receives software updates, devices such as pacemakers and defibrillators are usually left alone once it is in the market, making it an easy target for attackers. Aside from tampering with the device's functionality, the identity of the user could also be stolen by database thieves.

Poorly secured networks, where these devices are linked, can be easily breached. According to the United States Department of Health and Human Services, there have been more than 1,700 data breaches since 2009 that affected more than 500 individuals. In addition, those, the unnoticed, not reported and unlisted attacks were much higher.

The FDA cited worst-case scenarios resulting from software vulnerabilities and how it can be managed. When a manufacturer gets the information that there is a vulnerability on their device, the manufacturer should immediately communicate with the customers and the user community about the vulnerability, not later than 30 days. They should also inform users about the remediation plan to lessen the risk to acceptable levels and identify the interim compensating controls.

The manufacturer should fix the issue, validate it and roll out the fix to the users and the community within two months of learning about the problem. 

IoT home devices are well-known for powering botnets, capable of taking huge parts of the internet offline with DDoS attacks. Medical devices, when hacked, becomes literally life threatening, a threat so great that the FBI released a formal warning about remote exploits.

The real issue, at the end of the day, is enforcement of the said guidelines, and the speed of action when such vulnerabilities are found, especially from the side of the manufacturers. Hopefully, manufacturers should start following the recommendations and release fixes faster, not until a major security incident happens.