The U.S. Government Accountability Office website has published an interesting report on Information Security and Medical Devices. Unfortunately this report has probably been missed amid all the U.S. elections news.
Specifically, FDA considered risks from unintentional threats for four of the eight information security control areas GAO selected for its evaluation —software testing, verification, and validation; risk assessments; access control; and contingency planning. However, the agency did not consider risks from intentional threats for these areas, nor did the agency provide evidence of its review for risks from either unintentional or intentional threats for the remaining four information security control areas —risk management, patch and vulnerability management, technical audit and accountability, and security- incident - response activities. According to FDA, it did not consider information security risks from intentional threats as a realistic possibility until recently. In commenting on a draft of this report, FDA said it intends to reassess its approach for evaluating software used in medical devices, including an assessment of information security risks.This report is definitely an eye opening read, and also shows that the Federal Government is starting to think outside the box when it comes to Information Security.
Report:
Highlights - FDA Should Expand Its Consideration of Information Security for Certain Types of Devices
Download Full Report (PDF)