How the FDA Pushes Medical Device Cybersecurity

A phony myth might be fun on Halloween, but spooky is no good in the medical device industry. Still, quite a few legends surrounding the FDA’s role in promoting the cybersecurity of medical devices have bounced around the healthcare-technology sphere. Today, a higher-up in the agency made clear what exactly the regulator does to encourage strong digital defenses—and why that goal is crucial.

Suzanne B. Schwartz, MD, MBA, associate director for science and strategic partnerships at the FDA’s Center for Devices and Radiological Health, wrote a blog post championing a thorough approach to device security, from a project’s early days to long after it enters the market.

“With so many devices dependent on software and internet access today, having a plan in place to address cybersecurity risks is as essential to the device development process as coming up with a novel new product,” Schwartz wrote. “Working with the medical device industry and other federal agencies, FDA will continue its work to ensure the safety and effectiveness of medical devices at all stages of their lifecycles against potential cyber threats.”

For one, the regulator has published guidances encouraging device manufacturers to track cybersecurity risks throughout a product’s life, she noted. The agency “incentivizes industry” to update marketed and distributed devices to reduce cyberattack risks, she said.

The recommendations are meant to help companies navigate the complex nature of “critical safety systems,” requiring a “collaborative approach to finding solutions,” Schwartz wrote.

Released in late 2016, the guidance for post-market management is a 30-page document that lists specific vulnerabilities that companies should test, how they should go about doing that, threat reporting recommendations, and more. For instance, the document notes that changes to a medical device made solely to boost security—like a patch—are considered enhancements and don’t need to be reported.

The FDA also aims to work with manufacturers and the public to dispel myths. Some common bogus claims?

• The FDA is the only federal body responsible for medical device cybersecurity. (It’s not.)
• Cybersecurity for medical devices is optional. (Federal regulations require risks to be addressed.)
• Medical manufacturers can’t update devices for security. (They always can.)
• Healthcare organizations can’t patch devices to beef up their cyber defenses. (The FDA recommends they “work closely” with manufacturers.)
• The FDA validates security software changes. (That’s up to the manufacturer.)
• The FDA tests the cybersecurity of medical devices. (Again, that task falls on the company.)
• Developers of off-the-shelf software used in medical devices must ensure the code is secure for healthcare uses. (Yet another responsibility of the device maker.)

The regulator considers cybersecurity efforts in this area important not just due to the potential loss or theft of patient medical data, but also because the health implications, Schwartz wrote. “A breach that potentially impacts the safety and effectiveness of a medical device can threaten the health and safety of an individual or patients using the device,” she explained.

She pointed to cyberattacks, like WannaCry and Petya, which have exposed vulnerabilities in healthcare across the globe in 2017. If healthcare is to stay on top of these “constant” threats, hospitals, device makers, and other organizations must team up, Schwartz wrote.

Photo credits: Thumbnail: U.S. Air Force photo/Kemberly Groue; Article: FDA