The Food and Drug Administration has released a set of recommendations for how device manufacturers should protect the security of Internet-connected medical devices.

One year in the making, the 30-page document encourages manufacturers to monitor their devices and software for vulnerabilities and to patch any issues as they are discovered.

“The best way to combat these threats is for manufacturers to consider cyber security throughout the total product life cycle of a device,” the FDA’s Suzanne B. Schwartz said in a blog post. “In other words, manufacturers should build in cyber security controls when they design and develop the device to assure proper device performance in the face of cyber threats, and then they should continuously monitor and address cybersecurity concerns once the device is on the market and being used by patients.”

Specifically, the FDA recommends that manufacturers continually address the cybersecurity risks of marketed medical devices in a structured way, in particular:

• monitoring and detecting cyber security vulnerabilities in their devices
• understanding the threat level posed to a patient
• establish best practice cyber security measures including working with researchers and other stakeholders, described as “coordinated vulnerability disclosure policy”
• mitigation deployment including rolling out patches before vulnerabilities can be exploited.

While it’s easy to make jokes about tricky tickers – that is, a hackable pacemaker – there is a substantive risk with medical devices in an age when everything is connected.

“The capabilities of modern medical devices continue to radically transform the treatment of acute conditions as well as the management of chronic long-term disease. As these technologies evolve, so also do the threats to the security and reliability of these devices,” the ACM warned in an October research paper.

It may sound somewhat farfetched, but as recently as August, pacemakers, defibrillators and other medical devices made by St. Jude Medical were found to be vulnerable to potentially “catastrophic” cyberattacks.

Image credit: Steven Fruitsmaak/Wikimedia Commons/CC 3.0