FDA’s Role in Medical Device Cybersecurity

By Suzanne Schwartz, M.D., M.B.A., FDA’s Associate Director for Science and Strategic Partnerships, at the Center for Devices and Radiological Health
Twitter: @US_FDA

Virtually every aspect of our lives – including our health – has gone digital. Medical devices from insulin pumps to implantable cardiac pacemakers are becoming more interconnected and, like computers and the networks they operate in, can be vulnerable to security breaches.

A computer virus or hack resulting in the loss of or unauthorized use of data is one thing. A breach that potentially impacts the safety and effectiveness of a medical device can threaten the health and safety of an individual or patients using the device.

Global cyber-attacks in 2017, including WannaCry and Petya/NotPetya, have had a significant impact on our nation’s critical infrastructure, including the health care and public health sector. Hospitals, pharmaceutical companies, and even the Kiev airport were among organizations affected by cybercriminals who unleashed copies of the ransomware earlier this year, with demands of payment to restore access to computer networks and crucial files.

Because cybersecurity threats are a constant, manufacturers, hospitals, and other facilities must work to prevent them. There is a need to balance protecting patient safety and promoting the development of innovative technologies and improved device performance.

It is the goal of FDA’s Center for Devices and Radiological Health to encourage a coordinated approach of vigilance, responsiveness, resilience, and recovery that fits our culture of continuous quality improvement.

This means taking a total product lifecycle approach, starting at the product design phase when we build in security to help foil potential risks, followed by having a plan in place for managing any risks that might emerge, and planning for how to reduce the likelihood of future risks.

Specifically, FDA encourages medical device manufacturers to proactively update and patch devices in a safe and timely manner. The concept of updates and patches, while not new to traditional information technologies, is complex when it comes to critical safety systems and requires a collaborative approach to finding solutions.

FDA has published guidances – recommendations for manufacturers and others – that contain recommendations for comprehensive management of medical device cybersecurity risks throughout the total product life cycle. This includes closely monitoring devices already on the market for cybersecurity issues. And because we want to enable more expedient actions, our overall approach incentivizes industry to make changes to marketed and distributed medical devices to reduce risk.

FDA continues to work closely with manufacturers and the public to dispel myths about medical device cybersecurity. On our web site is a printer-friendly fact sheet where we address some of the more prevalent myths concerning FDA and our role in helping to maintain the security of medical devices.

With so many devices dependent on software and internet access today, having a plan in place to address cybersecurity risks is as essential to the device development process as coming up with a novel new product. Working with the medical device industry and other federal agencies, FDA will continue its work to ensure the safety and effectiveness of medical devices at all stages of their lifecycles against potential cyber threats.

This article was originally published on FDA Voice and is reprinted here with permission.