The FDA has been warning the health care industry for years that medical devices are vulnerable to cyberattacks. It's a legitimate concern: researchers have managed to remotely tamper with devices like defibrillators, pacemakers, and insulin pumps.
In 2015, FDA warned hospitals that the Hospira infusion pump, which slowly releases nutrients and medications into a patient's body, could be accessed and controlled through the hospital's network. That's dangerous to patients who could be harmed directly by devices altered to deliver too much or too little medication.
It also means poorly secured devices could give hackers access to hospital networks that store patient information — a situation that's ripe for identity theft.
More from the Verge:
President Obama creates two controversial national monuments in Utah and Nevada
Vera Rubin, who confirmed dark matter, has died at 88
These weird little dinosaurs lost all their teeth and grew beaks as they aged, new science says
"In fact, hospital networks experience constant attempts of intrusion and attack, which can pose a threat to patient safety," says Suzanne Schwartz, the FDA's associate director for science and strategic partnerships, in a blog post about the new guidelines. "And as hackers become more sophisticated, these cybersecurity risks will evolve."
The FDA issued an earlier set of recommendations in October 2014, which recommended ways for manufacturers to build cybersecurity protections into medical devices as they're being designed and developed.
Today's guidance focuses on how to maintain medical device cybersecurity after devices have left the factory. The guidelines lay out steps for recognizing and addressing ongoing vulnerabilities. And they recommend that manufacturers join together in an Information Sharing and Analysis Organization (ISAO) to share details about security risks and responses as they occur.
Most patches and updates intended to address security vulnerabilities will be considered routine enhancements, which means manufacturers don't have to alert the FDA every time they issue one.
That is, unless someone dies or is seriously harmed because of a bug — then the manufacturer needs to report it. Dangerous bugs identified before they harm or kill anyone won't have to be reported to the FDA as long as the manufacturer tells customers and device users about the bug within 30 days, fixes it within 60 days, and shares information about the vulnerability with an ISAO.
This attempt to secure medical devices is just the beginning, says Eric Johnson, a cyber security researcher and dean of the Vanderbilt University business school, in an email to The Verge. The FDA's Schwartz agrees, writing in a blog post: "This is clearly not the end of what FDA will do to address cybersecurity."