As concern over medical device cybersecurity grows, the U.S. Food and Drug Administration has taken additional steps to help hospitals get in front of the issue, an action commended by one medical device company CEO.
The FDA recently announced efforts to strengthen the agency’s medical device cybersecurity program to help device manufacturers identify security vulnerabilities before they release a device, as well as aid manufacturers and healthcare organizations after devices are released if a new risk surfaces.
Christopher McCann, CEO of Snap40 — which manufactures and sells AI-enabled wearable medical devices — said work the FDA has done to promote cybersecurity readiness is key in making sure device developers and vendors keep security at the forefront.
“The FDA can’t solve this problem on their own; the device developers have to do it,” McCann said. “What the FDA can do is make sure we all consider it as a top priority and we keep considering it a top priority even once the device is out there.”
Growth of FDA medical device cybersecurity program
The FDA first took steps to address medical device cybersecurity in 2013 by creating the Cybersecurity Working Group, as well as a framework for addressing cybersecurity regulatory considerations. The agency finalized its premarket guidance, which identifies medical device security vulnerabilities and issues for manufacturers to consider while designing and developing the devices, in 2014, followed by a postmarket guidance.
Now, the FDA has released a draft update to its premarket guidance to reflect its current knowledge and understanding of medical device cybersecurity risks. According to a statement by FDA Commissioner Scott Gottlieb, the new draft guidance highlights providing medical device customers and users with a “cybersecurity bill of materials,” or a list of device software and hardware components that could be susceptible to vulnerabilities.
Christopher McCannCEO, Snap40
“Depending on the level of cybersecurity risk associated with a device, this list can be an important resource to help ensure that device customers and users are able to respond quickly to potential threats,” Gottlieb said.
One example of the FDA’s forward-thinking approach involves what happens after a device is out in the market, McCann said. After a developer detects a cybersecurity problem, McCann said the company can immediately release an update to fix the problem without necessarily having to get reapproved by the FDA.
McCann views positively the steps the FDA has taken to address medical device cybersecurity issues, including the release of the Medical Device Cybersecurity Regional Incident Preparedness and Response Playbook.
“The fact that they were, within the first couple of pages, talking about making sure everyone is working together I think was a really positive sign,” McCann said. “Without that you won’t effectively respond to a security incident.”
Section five of the playbook notes that security incident preparedness and response for healthcare organizations can be strengthened through collaboration and outreach to regional partners, such as the local or state department of health, department of safety or emergency response and geographically or organizationally aligned peer hospitals.
Medical device cybersecurity issue looms
Medical device cybersecurity is no longer a theoretical issue. Cybersecurity expert Larry Ponemon previously pointed out that one of the greatest areas of emerging risk is IoT, and as medical devices become more embedded in IoT, the potential for cybersecurity risks increases.
As the number of cyberattacks continues to grow, according to the Journal of the American Medical Association, Gottlieb said the FDA has heard multiple concerns about the potential for cyber criminals to attack medical devices that are connected to broader health IT networks.
“The FDA isn’t aware of any reports of an unauthorized user exploiting a cybersecurity vulnerability in a medical device that is in use by a patient,” he said in the statement. “But the risk of such an attack persists.” McCann said security will always be an issue for medical devices, and it can never stop being improved because there will always be someone trying to get around the security measures.
“What the FDA is really doing with this announcement is making sure the device developers have security at the forefront of their minds so it’s not an afterthought,” McCann said.