The Food and Drug Administration (FDA) has issued a series of guidelines regarding the regulation of radio frequency (RF) technology in medical devices, moves that if put into practice, could eventually help shore up the increasingly vulnerable medical device security model.

In a 24-page document (.PDF) issued last Tuesday, the agency laid out potential plans for devices that can be implanted in or worn on the body for use in hospitals, homes, clinics laboratories and blood establishments.

The document encourages manufacturers to consider which parts of their devices use wireless technology and to assess the risk associated with RF wireless technology before it’s implemented in their devices.

As expected, the document advocates the protection of wireless data transmission when it comes to medical devices, hoping to deter data corruption and interference from rogue transmitters. When these data streams are disrupted there should be a default, secure, backup mode of communication.

“The correct, timely, and secure transmission of medical data and information is important for the safe and effective use of both wired and wireless medical devices and device systems,” the report claimed.

When it comes to layers of security, the FDA encourages manufacturers to “include protocols that maintain the security of the communications while avoiding known shortcomings of existing older protocols,” and to use the latest “up-to-date wireless encryption.”

Much like a similar set of guidelines the FDA issued on medical devices earlier this summer, the agency considers their document as a set of general recommendations that will get device manufacturers heading down the right path when it comes to securing their products.

Those warnings, released in June, more so addressed the security of defibrillators, insulin pumps and pacemakers, devices that have all made their way into headlines as of late after being found to be vulnerable to attacks.

While medical device security has been a burgeoning field over the last few years, the industry lost one of its biggest innovators last month after Barnaby Jack, a researcher who developed a way to send remote commands to pacemakers and tweak certain kinds of insulin pumps, died shortly before the Black Hat security conference where he was to present new research on security bugs in implantable devices.

The latest document from the FDA is surely a step in the right direction, but as they acknowledge in the paper, there are a number of hoops to jump through. Other agencies, including the FCC, which is in charge of overseeing the basic tenets of wireless technology, would also have to sign off on any security regulations, not to mention the hurdles stemming from any potential safety issues.

Categories: Government, Hacks, Vulnerabilities

Comments (2)

  1. Deramin

    Good to see the FDA at least trying to take this seriously. Devices meant to keep people alive and/or healthy shouldn’t open up new ways for malicious people to hurt them. First do no harm, right?

  2. Tim Gee

    Actually, FDA guidance documents are not really recommendations. In this case, FDA describes they key safety and efficacy issues they expect to see in a premarket submission (commonly called a 510k). Cybersecurity was just one of several topics in the guidance.

    FDA produced guidance on medical device cybersecurity directly in 2005 in this . This summer, FDA published an excellent dealing with cybersecurity and networked medical devices intended for both manufacturers and medical device users (hospitals mostly).

    You can read more about the wireless medical device guidance .

Comments are closed.