At the 2011 Black Hat security conference, a diabetic man named Jerome Radcliffe showed how someone could hack into a wireless insulin pump.\nMedical devices are just the latest in a growing list of Internet of Things that are at risk for potential hacks. On the surface, it may seem almost foolish to worry that some stranger will want to control a person\u2019s insulin dosage or shut off a pacemaker or manipulate health data, but we also wondered why anyone would want to hack into cloud storage to steal compromising photos of actresses or someone would stage a major attack on an entertainment company in retaliation for a movie. If something can be hacked, it will be hacked. If for no other reason, this puts medical devices and the patients who rely on them at great risk.\nLike virtually every device connected to a network, medical equipment was never designed with cybersecurity in mind. However, thanks to the Food and Drug Administration\u2019s new guidelines, that will change. Manufacturers are now instructed to build cybersecurity functionality into new medical devices. How these cybersecurity functions will be addressed will depend on the device itself \u2013 its intended use, overall vulnerability concerns, and risks to the patient, for instance. The guidelines go on to list the types of cybersecurity functions that should be included, such as layered authentication levels and timed usage sessions that ensure the device isn\u2019t connected to the network any longer than necessary.\nThe regulations are in response to the findings of researchers like Radcliffe who have shown just how easy it is for someone to take control of a wireless medical device. In addition, the Department of Homeland Security has been investigating reports of vulnerable medical equipment. \u201cThese security measures ensure that companies which are developing these products are adhering to a certain set of standards to keep users safe,\u201d said Benjamin Caudill, Principal Consultant with Rhino Security Labs.\nOf course, the standards won\u2019t make the medical devices 100 percent secure from potential hackers. \u201cThere is no such thing as a threat-proof medical device,\u201d Suzanne Schwartz, director of emergency preparedness at the FDA's Center for Devices and Radiological Health, was quoted by USA Today shortly after the guidelines were released.\nThe new cybersecurity standards also don\u2019t address a serious security threat: older devices currently in use. The guidelines only cover the design of new devices. Also, the software used for many of these older devices isn\u2019t designed for patches and fixes when vulnerabilities are found. Finally, many of the Internet-connected devices in use today were never properly tested for security flaws, Caudill pointed out. We really don\u2019t have any idea just how insecure these devices may be, while at the same time, patients depend on them to stay healthy or alive.\nUnfortunately, there is no easy security fix for the devices already in use. Older medical devices are a very tricky subject, explained Don Weber, Senior Security Analyst with InGuardians. \u201cTo clarify, there are two types of medical devices: those that are deployed on networks and those that are implanted in patients,\u201d he stated. \u201cMedical IT professionals need to treat older technologies like all other businesses. That is they need to understand there will be limited to no support or updates and plan the security of these devices and networks appropriately. This requires network segmentation and monitoring network activity to get a baseline of good activity and thus identify anomalous behavior.\u201d\nConsiderations for medical devices are slightly different than other categories in the Internet of Things, Weber added. \u201cMany of these medical devices are implanted in their owners. Sometimes it takes life threatening surgery to implant and replace them. Thus, replacing older devices (whether secure or not) is a choice that will be made by the person and their physician. Are insecure devices a concern? Yes. However, if security vulnerabilities of a device or solution have been identified and disclosed, the owner and their physician can make educated decisions about these risks and determine how best to move forward with future care.\u201d\nHowever, Caudill thinks that eventually those choices will be dictated by recalls on medical devices that pose a security threat. \u201cWhile many everyday products \u2013 from toys to automobiles \u2013 are recalled for safety hazards, recalls for cybersecurity vulnerabilities have not yet been seen,\u201d he said. \u201cI suspect as the issues become more well-known (and even cause physical harm to victims), this trend will change, with both manufacturers and government officials seeing cybersecurity as another category of safety to consider in internet-connected products.\u201d\nBuilding in security at the design stage is still a relatively new concept, so no one is quite sure how it will work within the medical manufacturing community. However, it is an important step in ensuring security and allowing patients to focus on getting well.\nThis article was original published on Forbes and Sungard AS.