Matthew Griffin, described as “The Adviser behind the Advisers” and a “Young Kurzweil,” is the founder and CEO of the 311 Institute, a global futures and deep futures consultancy working between the dates of 2020 to 2070, and is an award winning futurist, and author of “Codex of the Future.” Regularly featured in the global media, including AP, BBC, CNBC, Discovery, RT, and Viacom, Matthew’s ability to identify, track, and explain the impacts of hundreds of revolutionary emerging technologies on global culture, industry and society, is unparalleled. Recognised for the past six years as one of the world’s foremost futurists, innovation and strategy experts Matthew is an international speaker who helps governments, investors, multi-nationals and regulators around the world envision, build and lead an inclusive, sustainable future. A rare talent Matthew’s recent work includes mentoring Lunar XPrize teams, re-envisioning global education and training with the G20, and helping the world’s largest organisations envision and ideate the future of their products and services, industries, and countries. Matthew's clients include three Prime Ministers and several governments, including the G7, Accenture, Bain & Co, BCG, BOA, Blackrock, Bentley, Credit Suisse, Dell EMC, Dentons, Deloitte, Du Pont, E&Y, GEMS, HPE, Huawei, JPMorgan Chase, KPMG, McKinsey, PWC, Qualcomm, SAP, Samsung, Sopra Steria, UBS, and many more.
WHY THIS MATTERS IN BRIEF
More and more implanted medical devices are becoming connected devices and this exposes them to cyberattacks, the FDA’s new cybersecurity guidance hopes to curtail, and prevent deaths that might result from an attack on people’s IMD’s.
You have a pace maker. It’s hacked. You’re dead. Sorry about that, but the company that built it didn’t think that would happen.
That’s the reality faced by millions of people today who have Implanted Medical Devices (IMD) in their bodies, such as pacemakers and insulin pumps, that were never designed to cope, or protect against targeted cyber attacks and which are increasingly just one of a growing collection of “connected devices”.
In 2016 in the US alone doctors fitted over 350,000 pacemakers and 140,000 Implantable Cardioverter Defibrillators (ICD), globally it’s estimated that that figure is well over a million units per year, and that doesn’t take into account all of the other IMD’s.
This week the Food and Drug Administration (FDA) issued its final guidance, entitled “Postmarket Management of Cybersecurity in Medical Devices,” on protecting medical devices from cyberattacks.
The FDA wants manufacturers to boost their cybersecurity measures by incorporating ways to monitor and detect vulnerabilities in the products they make. They also want manufacturers to create a system, a little akin to Microsoft, or Google’s bug bounty systems, that allow them to receive information about potential vulnerabilities from cybersecurity researchers, and if they come across an exploitable flaw then the agency wants the companies to assess the risk they pose to patients. Finally, it wants the medical device makers to issue software patches to fix any vulnerability it finds.
All in all it’s not ground breaking, but then it doesn’t have to be. By simply establishing guidelines and a foundation for detecting, managing and fixing vulnerabilities the FDA is prompting manufacturers into action.
According to the FDA, this final guidance “recognizes today’s reality that cybersecurity threats are real, ever present and continuously changing,” and the new guidelines apply to all medical devices, including those already out on the market such as the ones manufactured by St. Jude Medical, who recently became the target of a hedge fund who shorted their stock and sent their stock price down 5% after they released research claiming the devices were vulnerable to cyber attack. The FDA are now investigating.
The FDA promises to adjust its guidance or even issue a new one if needed, since cyberthreats can evolve and hackers can become even more capable.
“Digital connections power great innovation, and medical device cybersecurity must keep pace with that innovation. The same innovations and features that improve health care can increase cybersecurity risks. This is why we need all stakeholders in the medical device ecosystem to collaborate to simultaneously address innovation and cybersecurity. We’ve made great strides but we know that cybersecurity threats are capable of evolving at the same pace as innovation, and therefore, more work must be done,” they said in a statement.