In response to congressional requests, the GAO produced a new report on medical device security (http://www.gao.gov/assets/650/647767.pdf). Unlike agencies like NIST, the GAO provided a number of specific recommendations for the FDA (apparently the oversight of medical device security falls to the FDA). And by “specific” I mean very general, almost cliché recommendations:
1) The FDA should increase its focus on manufacturers’ identification of potential unintentional and intentional computer security threats and vulnerabilities and strategies to mitigate these risks during its pre-market approval review process;
2) Utilize available resources, including those from other entities, such as other federal agencies;
3) Leverage its post-market efforts to identify and investigate information security problems; and
4) Establish a specific schedule for completing this review and implementing these changes.
I really have no idea what any of that is really supposed to do. However, despite that, the GAO report is extensive in its detail and description of medical threats and risks.