FDA Warning on Medical Devices

medical devicesQ&A with Mac McMillan

Mac McMillan, chair of the HIMSS Privacy & Security Task Force and CEO of CynergisTek answers questions for us on the FDA and warnings about cyber threats involving medical devices. He also comments on cyber security risks, devices to watch out for, the FDA and ONC risk-based regulatory framework, and tips for providers on mitigating cyber risks. Read our questions and his answers.

Question: Why did the FDA issue a warning for cyber threats on medical devices?

Answer: I think the reason they did this was because we now have other parts of the Federal Government tracking threats in our Nation’s Critical Infrastructures – Healthcare being one of those, and they were concerned about what they saw and how that information aligned with their own experiences listening to the complaints of consumers of medical devices. This is not a new issue.

Question: What are the FDA and ONC looking for in their request for comments on risk-based regulatory framework?

Answer: I’m not certain here, but hopefully it means identifying a regulatory framework that takes into consideration certain risk factors that a particular medical device presents to patients and their information that equates to various levels of accreditation they must receive.

Question: What are the biggest cyber security risks when it comes to medical devices?

Answer:  They run the spectrum from insecure connections and communications protocols to poorly coded applications to obsolete or unsupported platforms to lack of proper maintenance and administration.

Question: What types of medical devices are proving to have the biggest risks?

Answer:  Actually I think it is across the board here listening to our clients, but certainly ones that are networked, communicate in real time and involved directly in patient monitoring/care represent a particularly serious risk.

Question: What should health care providers include in their HIPAA Security Analysis when it comes to their medical devices? (or does this apply?)

Answer:  Absolutely it applies, especially for those devices that are networked, because they represent a risk not only to patients, but to the enterprise as well. Things like reviewing their connectivity, access control, data retention/protection, encryption, supportability (patching, fixing, service packs), etc. are examples of what should be looked at.

Question: Are there any tips for providers to mitigate cyber threats to their medical devices?

Answer:  Sure. First, only select devices that have the right functionality to secure them properly when possible. Second, evaluate the device carefully at time of implementation, understand its weaknesses, and apply mitigating controls where possible. Third, secure and test all connections and communications paths between the device and the network. Fourth, review device security often to stay abreast or hopefully ahead of potential issues. Fifth, and always, educate users and patients on the security issues related to a particular device so that they know what to look for as well and who to report anything anomalous to.