The Internet occupies a central role in the field of medical technology, and an increasing number of medical devices rely on the use of connected networks. While connected medical devices offer a range of benefits to both patients and providers, they also present a host of cybersecurity risks. New threats are identified with regularity. For example, in March, the U.S. Food and Drug Administration (FDA) identified security vulnerabilities in a major device manufacturer’s implantable cardiac devices which potentially exposed the devices to remote control by unauthorized users; in April, cybersecurity researchers presented what is thought to be the first clear evidence that malicious attackers have the capability to remotely alter medical imaging, with potentially life-threatening consequences; the examples go on.
In recent years, it appears that several government agencies have made concerted efforts to coordinate their approach to connected medical device cybersecurity. These coordinated efforts offer valuable insight for manufacturers of connected devices by highlighting issues of particular concern for both regulatory authorities and the connected medical device industry more generally. This article will discuss several critical lessons that manufacturers of connected medical devices can learn from recent unprecedented coordination among the FDA, the Department of Health and Human Services Office of Inspector General (HHS-OIG) and the Department of Homeland Security (DHS), respectively, as well as the increasingly important role the Federal Trade Commission (FTC) has come to occupy with respect to the cybersecurity of connected medical devices.
