The FDA is recommending beefed up security on medical devices to reduce the risk that devices are compromised via a cyber threat.
The Department of Homeland Security issued a warning last year about medical devices that attach to IT networks being a potential security threat. Among the issues raised was that a security researcher demonstrated how an outside actor can shut off or alter the settings of an insulin pump without the user's knowledge.
In a draft report prepared for Congress the FDA says that the need for effective cyber security to assure medical device functionality has become more important with the increasing use of wireless, Internet- and network-connected devices and the frequent electronic exchange of medical device-related health information.
It warns that a failure to maintain cyber security can result in patient illness, injury, or death.
The FDA says that manufacturers should consider cyber security during the design phase of the medical device. It says that manufacturers should consider the balance between cyber security safeguards and the usability of the device.
It warns that security features should not make the device too difficult to use.
Among the recommendations is to limit access to devices through the authentication of users through user ID and password, smart card, or biometric checks. Another is to strengthen password protection by avoiding “hard coded” passwords (i.e., passwords which are the same for each device, difficult to change, and vulnerable to public disclosure) and limit public access to passwords used for privileged device access.