With the push by big technology players (Cisco, Google, Intel, etc.) towards connectivity in everyday devices, cyber security is becoming more and more crucial. This push is even seen in medical device design as the industry begins to move toward cloud-integrated and network-connected devices so that they may be monitored or customized to surgeons needs on the fly.
The issue is that medical devices that used to be standalone machines are now being connected to wider networks. While this is useful, most manufacturers are not adding any increased security to their systems where a single machine attack used to be isolated and required physical access.
An infection and attack on an entire network of devices around the world can now occur completely remotely. A single change to an insecure cloud database or device that sets and gets settings from the cloud could lead to an entire device line being compromised. A few years ago, security expert Barnaby Jack showed that it is possible to compromise devices such as pacemakers and insulin pumps to attack patients as well. Any device with network connectivity will be insecure — and with strict FDA regulations on system updates, many manufacturers will not be patching issues as quickly as may be needed.
Thankfully, the FDA has been working on a draft guidance to try to set guidelines medical device engineers should use while designing their systems. The guidance also mentions possibly allowing validated operating system updates to be patched into systems in-between fully validated releases. Hopefully, the new guidance will help keep systems and patient data safe.