[pherz]

Not exactly new, the FDA is just getting around* to releasing draft guidance [0] and is/has been ramping up their consideration of device security in the PMA/401k approval processes already. What really lit the fire under medical companies asses was the 2011 Blackhat presentation [1] of the hacked insulin pump. Depressingly and unsurprisingly the risk to reputation has been the biggest driver of security so far. The blowback also lead to congress commissioning a GAO report released almost a year ago [2] that concluded that the FDA really should do something and is actually more meaningful on evaluating software than the recent draft guidance. There was already some FDA guidance on security of devices containing COTS from 2005 [3], but wasn't just about COTS, and even the author of that guidance would tell you the biggest mistake in it was mentioning COTS in the title.

[0] http://www.fda.gov/downloads/MedicalDevices/DeviceRegulation... [1] http://www.blackhat.com/html/bh-us-11/bh-us-11-briefings.htm... [2] http://www.gao.gov/products/GAO-12-816 [3] http://www.fda.gov/MedicalDevices/DeviceRegulationandGuidanc...

* This guidance is overdue and vague as usual. The FDA is generally well intentioned but politics will slow them down even after it's a forgone conclusion that they're going to do something.