FDA issues final guidance on medical devices' cybersecurity

The Food and Drug Administration has issued its final guidance on protecting medical devices like pacemakers and insulin pumps from cyberattacks. To start with, it wants manufacturers to boost their cybersecurity measures by incorporating a way to monitor and detect vulnerabilities into the products they make. The FDA also wants them to establish a process for receiving information about potential vulnerabilities from cybersecurity researchers. If they do detect any exploitable flaw, the agency wants the companies to assess the risk it poses to patients. Finally, it wants the medical device makers to issue software patches to fix any vulnerability it finds. According to the FDA, this final guidance "recognizes today's reality" that "cybersecurity threats are real, ever-present and continuously changing." It applies to all medical devices, including those already out on the market such as those manufactured by St. Jude Medical. The agency is currently investigating St. Jude's products after an investment firm and a cybersecurity company claimed that they lack even the most basic form of cybersecurity.