On January 15, 2016, The U.S. Food and Drug Administration released Draft Guidance on Postmarket Management of Cybersecurity in Medical Devices. This guidance details and clarifies the FDA’s expectations for managing security vulnerabilities in medical devices currently on the market. It also introduces a new incentive to manufacturers to follow one particular path to vulnerability management that the FDA favors. We think security researchers will too!
The FDA draft guidance states that it expects manufacturers to have a coordinated disclosure program! This statement, while it doesn’t carry the force of law, is still a powerful signal to medical device makers who don’t already have one in place, that they need to get that ball rolling (Philips, Draeger, GE, and Medtronic all have methods to disclose vulnerabilities, by the way).